Mar. 22, 2014

Business lawyers' event spotlights privacy law

Privacy law experts at an American Business Trial Lawyers event Tuesday discussed the difficulties associated with navigating outdated Internet laws and jurisdictions with wildly different regulations. S. Ashlie Beringer, vice president and deputy general counsel at Facebook Inc., discussed privacy issues with Ronald D. Lee, an Arnold & Porter LLP partner who previously served as director of the Executive Office of National Security; John C. Yoo, a UC Berkeley School of Law professor and one of the attorneys who advised the Bush administration on National Security Agency operations; and Cindy A. Cohn, legal director for the Electronic Frontier Foundation. Beringer said the difference between privacy laws in the U.S. and the European Union has led to tough questions about how international companies should navigate multiple legal systems at the same time. "You may be subject to an order here to produce data that's under your control in Europe, but the act of actually producing it involves processing data that is subject to data privacy rights," she said. "The EU feels very differently about discovery than we do in the U.S., so there's an inherent conflict in our views of privacy." Lee said companies have also faced strange decisions when they sell their products in countries with less developed privacy rights than exist in the U.S. He said RIM, the manufacturer of BlackBerry, had to adjust its product for those regimes. "There were a number of jurisdictions outside the U.S. who said, 'Wait a minute, we need to have surveillance capabilities.' Of course, BlackBerry's big selling point was that they had strong encryption end to end." Many have tried to argue that metadata, information the NSA collects about whom someone is calling, isn't very dangerous on its own, but lawyers shouldn't buy that, Cohn said. "Laywers know that if you track our phone calls, you have a pretty good idea of who our clients are," she said. Yoo said Americans are currently in the middle of a discussion about what exactly constitutes our right to privacy, and the current view is that metadata doesn't count, referencing the U.S. Supreme Court's ruling in Smith v. Maryland. "The theory then was, when the person gives up something to a third party, like a company, we lose our privacy rights about it. When we dial a phone number, we don't have privacy rights on the number anymore because we're giving the phone number to the telephone company." Yoo said he thinks legislation, not judicial action, is the right vehicle for changing U.S. privacy laws and regulations. But Lee said he wasn't holding his breath. "That view has been widely shared for a number of years, and guess what? We still don't have federal data security breach legislation." — Joshua Sebold