Chapter 1: Privacy in Tort Law

  • Data Breach
    • Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015) (finding that plaintiffs whose credit card data was breached had standing to pursue tort and other state-law claims against the company that collected the data)

Chapter 2: Constitutional Privacy

  • First Amendment
    • In re Grand Jury Subpoena, No. 16-03-217 (Glassdoor, Inc.), 875 F.3d 1179 (9th Cir. 2017) (finding website operator has third party standing to assert users’ First Amendment rights and applying Branzburg good-faith test to require disclosure of anonymous users’ identities)
    • Wollschlaeger v. Governor, Florida, 848 F.3d 1293 (11th Cir. 2017) (en banc) (finding that certain provisions of Florida’s Firearms Owners’ Privacy Act are unconstitutional content-based restrictions on the speech of doctors and medical professionals)
    • Packingham v. North Carolina, 137 S. Ct. 1730 (2017) (holding that a statute prohibiting sex offenders from accessing social networking websites violated the First Amendment)
    • Signature Management Team, LLC v. Doe, 876 F.3d 831 (6th Cir. 2017) (finding a rebuttable presumption of open judicial records in favor of unmasking anonymous defendants when judgment has been entered for a plaintiff)
    • Citizens United v. Schneiderman, 882 F.3d 374 (2nd Cir. 2018) (upholding donor disclosure rules for non-profits under First Amendment “exacting scrutiny” standard)
    • Perez v. City of Roseville, 882 F.3d 843 (9th Cir. 2018) (finding termination of employment for officer based on off-duty affair violated First Amendment right to privacy and intimate association)
  • Second Amendment
    • Wollschlaeger v. Governor, Florida, 848 F.3d 1293 (11th Cir. 2017) (en banc) (striking down as unconstitutional under the First Amendment certain portions of Florida’s Firearms Owners’ Privacy Act)
  • Fourth Amendment
    • United States v. DE L’Isle, 825 F.3d 426 (8th Cir. 2016) (scanning magnetic strip on credit card not a trespassory search under Fourth Amendment)
    • Belleau v. Wall, 811 F.3d 929 (7th Cir. 2016)
    • In re Grand Jury Subpoena, JK-15-029 (John Kitzhaber), 828 F.3d 1083 (9th Cir. 2016) (finding that a district court has the supervisory power and responsibility to quash a vastly overbroad grand jury subpoena for e-mail records)
    • Birchfied v. North Dakota, 136 S. Ct. 2160 (2016) (holding that the Fourth Amendment does not permit warrantless blood tests incident to arrest for drunk driving and that motorists cannot be deemed to have consented to submitted to a blood test on pain of committing a criminal offense)
    • Utah v. Strieff, 135 S. Ct. 2056 (US 2016) (finding that an officer’s discovery of a valid, pre-existing warrant during an otherwise unlawful investigatory stop justified denial of a defendant’s motion to suppress)
    • Byrd v. Maricopa Cnty. Bd. of Supervisors, 845 F.3d 919 (9th Cir. 2017) (holding that prison policy of allowing cross-gender guard observation of pretrial detainee’s showering and using the bathroom violated the Fourth Amendment)
    • Sims v. Labowitz, 885 F.3d 254 (4th Cir. 2018) (finding it clearly established that a sexually invasive search of a minor was unconstitutional despite the existence of a warrant)
    • United States v. Houston, 813 F.3d 282 (6th Cir. 2016) (holding that an officer’s warrantless use of a stationary camera on top of a public utility pole to record video and audio of an individual’s private property did not violate the Fourth Amendment)
    • United States v. Pacheco, 884 F.3d 1031 (10th Cir. 2018) (finding search of cell phone during warrantless search of parolee’s home was reasonable under totality of the circumstances test)
    • United States v. Vergara, 884 F.3d 1309 (11th Cir. 2018) (holding that a warrantless forensic search of an individual’s cell phone at the border did not violate the Fourth Amendment)
    • Byrd v. United States, 138 S. Ct. 1518 (U.S. 2018) (finding that a driver in lawful possession of a rental car has a reasonable expectation of privacy in the contents of the car even if he is not listed an authorized driver on the rental agreement)
    • Carpenter v. United States, 138 S. Ct. 2206 (US 2018) (ruling that historical cell phone location records are generally protected under the Fourth Amendment)
      • But see United States v. Banks, 884 F.3d 998 (10th Cir. 2018) (finding that exigent circumstances justified pinging defendant’s cell phone to gather location data following credible threat to informant safety)
    • Naperville Smart Meter Awareness v. City of Naperville, 900 F.3d 521 (7th Cir. 2018) (finding that collection of electricity data via “smart meter” devices in 15-minute intervals was a reasonable search under the Fourth Amendment)
    • United States v. Reddick, 900 F.3d 636 (5th Cir. 2018) (holding that automated scanning of files uploaded to Microsoft SkyDrive for contraband images, and the reporting of “matched” images to law enforcement, was a private search and thus did not implicate the Fourth Amendment)
    • Walker v. Coffey, 905 F.3d 138 (3d Cir. 2018) (holding that university employer could consent to search of employee’s workplace e-mails)
    • United States v. Correa, __ F.3d ___ (7th Cir. 2018) (finding that repeatedly pressing the button on the electronic garage door opener from defendant’s car to identify his condominium building, using his key fob to enter the building, and testing his mailbox key against mail boxes to identify his unit were all reasonable searches)
    • United States v. Brixen, ___ F.3d ___ (7th Cir. 2018) (holding that the act of sending a message to defendant’s social media account and viewing the notification on his phone was not a search under the Fourth Amendment)
  • Fifth Amendment
    • United States v. Apple MacPro Computer, 851 F.3d 238 (3rd Cir. 2017) (finding no plain error in trial court determination that decryption order did not violate suspect’s Fifth Amendment protection against self-incrimination)
      • See also United States v. Robinson, ___ M.J. ___, 2018 WL 1512067 (C.A.A.F. 2018) (finding that initial consent to search cell phone justified subsequent inquiry, after right to counsel was invoked, for the cell phone passcode); State v. Diamond, 905 N.W. 2d 870 (Minn. 2018) (holding that an order requiring defendant to unlock his cellphone using his fingerprint did not violate his privilege against self-incrminiation)
      • But see In re Application for a Search Warrant, 236 F. Supp. 3d 1066 (N.D. Ill. 2017) (denying warrant application seeking to force an individual at the subject premises to provide a fingerprint or thumbprint in an attempt to unlock any Apple device that may be found)
  • Fourteenth Amendment
    • In re: OPM Data Security Breach Litigation, 266 F. Supp. 3d 1 (D.D.C. 2017) (holding that individuals affected by the OPM data breach could not assert a claim for a violation of their constitutional right to informational privacy)
    • Weaver v. Myers, 229 So.3d 1118 (Fla. 2017) (holding that the right to privacy under the Florida Constitution protects a patient’s medical records, that the right survives after death and can be asserted by family members, and that a state statute requiring ex parte interviews of doctors in malpractice litigation violated the right)
    • Erotic Service Provider Legal Education and Rsch. Project v. Gascon, 880 F.3d 450 (9th Cir. 2018) (state law criminalizing prostitution did not violate the First or Fourteenth Amendments)
    • Hancock v. County of Rensselaer, 882 F.3d 58 (2d Cir. 2018) (finding that unauthorized access to prison employee medical records by county officials may have violated individuals’ Fourteenth Amendment privacy rights)
    • Arroyo Gonzalez v. Rossello Nevares, 305 F. Supp. 3d 327 (D.P.R. 2018) (holding that the Commonwealth’s Birth Certificate Policy violates the decisional and informational privacy rights of transgender persons’ who wish to correct their birth certificates to reflect their true sex)

Chapter 3: Federal Privacy Statutes

  • Article III Standing
    • Spokeo v. Robbins(US 2016) (FCRA) (holding that courts must address whether plaintiffs have alleged a “concrete” injury in order to satisfy the Article III “case or controversy” requirement for federal court jurisdiction)
  • Subscriber Privacy
    • Deacon v. Pandora Media, Inc.,885 N.W.2d 628 (Mich. 2016) (state VPPA equivalent) (finding that a user of a streaming service was not a customer who rented or borrowed sound recordings within the meaning of the Preservation of Personal Privacy Act)
    • Yershov v. Gannett Satellite Info. Network, Inc.,820 F.3d 482 (1st Cir. 2016) (VPPA) (finding that user data disclosed by the USA Today Mobile App was “personally identifiable information” under the VPPA and that the user who downloaded and installed the app was a “consumer” under the statute)
      • But see Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2018) (finding that similar data collected by the “WatchESPN” app was not PII and adopting the “ordinary person” test from the Third Circuit); In re Nickelodeon(3rd Cir. 2016) (holding that the IP address information collected by the Nickelodeon website was not PII “because the term includes only information that ‘readily permit[s] an ordinary person to identify a [particular individual as having watched certain videos]”)
  • Privacy Act
    • Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (holding that plaintiffs who brought suit under the Privacy Act and APA following breaches of their personal information at the Department of Veteran Affairs could not establish Article III standing)
      • But see Welborn v. IRS, 218 F. Supp. 3d 64 (D.D.C. 2016) (finding that plaintiffs who alleged that they suffered fraud as a result of the improper disclosure of their tax information had standing to sue for monetary damages, but could not pursue a negligent disclosure claim under the Privacy Act)
    • Ames v. DHS, 861 F.3d 238 (D.C. Cir. 2017) (holding that disclosure of an investigative report from the DHS OIG to the NGA OIG was a permissible ‘routine use’ under the Privacy Act)
    • In re: OPM Data Security Breach Litigation, 266 F. Supp. 3d 1 (D.D.C. 2017) (finding that individuals affected by the OPM data breach could not establish Article III standing and had not stated a claim of actual economic harm under the Privacy Act)
  • Freedom of Information Act
    • Detroit Free Press Inc. v. DOJ, 829 F.3d 478 (6th Cir. 2016) (en banc) (holding that individuals have a privacy interest in their booking photos for the purposes of FOIA exemption 7(C))
  • Drivers’ Privacy Protection Act
    • McDonough v. Anoka Cnty, 799 F.3d 931 (8th Cir. 2015) (finding that the statute of limitations period for DPPA claims runs from the date that the alleged violation occurs and that plaintiffs must allege “high volumes and suspicious timing of access” in order to plausibly state a claim of impermissible access based on audit reports)
    • Arkansas State Police v. Wren, 491 S.W.3d 124 (Ark. 2016) (finding that vehicle accident reports are not motor vehicle records and the personal information in those reports are thus not protected under the DPPA)
    • United States v. Hastle, 854 F.3d 1298 (11th Cir. 2017) (holding that e-mail addresses are included in the DPPA definition of “personal information”)
  • Family Educational Rights and Privacy Act
    • Appeal of Farmington School District, 138 A.3d 496 (N.H. 2016) (applying the FERPA guidelines as incorporated by school board policy)
    • Kendrick v. Advertiser Company, 213 So.3d 573 (Ala. 2016) (holding that disclosure of information regarding loss or reduction of athletic financial aid for students participating in football program was prohibited by FERPA)
    • Krakauer v. Montana, 381 P.3d 524 (Mont. 2016) (finding that student disciplinary records were protected under FERPA)

    Health Information Portability and Accountability Act

    • Oregon Health & Sci. Univ. v. Oregonian Publishing Co., LLC, 403 P.3d 732 (Or. 2017) (holding that personal information related to alleged patient tort claims against state university constituted “protected health information” under HIPPA)
  • Federal Trade Commission Act
    • FTC v. AT&T Mobility LLC, 883 F.3d 848 (9th Cir. 2018) (en banc) (holding that the FTC exemption for common carriers does not bar the agency from regulating non-common-carriage activities by companies that also engage in common-carriage activities)
    • LabMD, Inc. v. FTC, 894 F.3d 1221 (11th Cir. 2018) (finding in data security case that the prohibitions contained in the FTC’s cease and desist orders must be specific in order to be enforceable)
  • Right to Financial Privacy Act
    • Hohman v. Eadle, 894 F.3d 776 (6th Cir. 2018) (holding limited liability corporation taxpayers do not fall within the plain meaning of “customers” under the RCPA and thus could not assert a cause of action against the IRS)
  • Telephone Consumer Protection Act
    • Balsden v. Credit Adjustments, Inc., 813 F.3d 338 (6th Cir. 2016) (finding that prior express consent given to a healthcare provider can be valid consent under the TCPA to future calls from a company seeking to collect the debt incurred to that provider)
    • Patriotic Veterans, Inc. v. Zoeller, 845 F.3d 303 (7th Cir. 2017) (holding that a state-law prohibition on automated telephone calls was a constitutionally valid time, place, and manner speech restriction)
    • Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017) (finding that the TCPA permits consumers to revoke their prior express consent to be contacted)
    • Bais Yaakov of Spring Valley v. FCC, 852 F.3d 1078 (D.C. Cir. 2017) (holding that the FCC regulation requiring businesses to include opt-out notices on solicited fax messages was unlawful under the TCPA)
    • ACA Int’l v. FCC, 885 F.3d 687 (D.C. Cir. 2018) (granting in part and denying in part petitions challenging an FCC declaratory order under the TCPA; finding that the FCC interpretation of “called party” to include the actual recipient was permissible but rejecting the “one-call safe habor”; rejecting the FCC’s definition of an automatic telephone dialing system because it could conceivably include conventional smartphones; and upholding the agency’s broad interpretation of consent revocation mechanisms)

Chapter 4: Federal Surveillance Law

Chapter 5: International Privacy Law

  • EU General Data Protection Regulation (GDPR) (EU 2018) (The European Union’s comprehensive data protection reform came into effect May 25, 2018.)
  • Microsoft v. United States, 138 S.Ct. 1186 (2018) (finding moot the question of extraterritorial application of Stored Communications Act warrants, in light of the new Clarifying Lawful Overseas Use of Data Act (CLOUD Act))
  • Big Brother Watch v. UK (ECHR, 2018) (finding that UK bulk surveillance violated the uled that the UK surveillance system violated the rights to privacy and free expression under the European Convention on Human Rights due to inadequate legal safeguards)
  • Modernized Convention on Privacy – “Convention 108+” (COE, 2018) (Council of Europe updated international Privacy Convention to require prompt data breach notification, establish national supervisory authorities, permit transfers abroad only when personal data is sufficiently protected, and provide new user rights)
  • Justice K.S. Puttaswamy (Retd.) v. Union of India (“Aadhaar Judgment”) (India, 2018) (striking down provisions of the Indian biometric identification system permitting private entities to demand Aadhar for identification, requiring Aadhar to register for education, and more)
  • Convention on Cybercrime Reform (COE, 2017) (drafting of a new protocol to address cross border law enforcement access to data began)
  • Opinion 1/15(CJEU, 2017) (finding that the EU-Canada Passenger Name Record Agreement permitting retention and transfer of passengers’ personal data violates multiple protections under EU, including the EU Charter right to privacy