Big Data viability? Vidal-Hall’s equity bombshell

Following on from my earlier Google v Vidal-Hall post, I thought I’d reverse-engineer the pleadings for the new tort of misuse of private information from three sources: the excerpt appended to the Court of Appeal judgment http://www.bailii.org/ew/cases/EWCA/Civ/2015/311.html; stray judicial remarks in that judgment; and Tugendhat J’s own supplementary remarks in the lower Court [2014] EWHC 13 (QB) http://www.bailii.org/ew/cases/EWHC/QB/2014/13.html. Initially this was merely out of academic curiosity. From the top…

Inferred ingredients/pleadings of the tort of misuse of private information

• Defendant processed Plaintiff’s private information
• Relating to which Plaintiff has reasonable expectation(s) of privacy
• Wrongfully, further in such a way as
  • unjustifiably to infringe Plaintiff’s right to privacy [though per se this looks suspiciously like a Convention-related pleading]; further or alternatively
  • to misuse Plaintiff’s private information
• Without Plaintiff’s foreknowledge ; alternatively
• Irrespective of Plaintiff’s foreknowledge of Defendant’s intentions;
• Causing
  • damage to personal dignity, autonomy and integrity; further or alternatively
  • anxiety and distress

Common law remedy claimed: general damages, presumably small (though aggravated damages also were pleaded in Vidal-Hall).

Equitable remedy claimed: account of profits

Account of profits

Here’s the rub. Per Tugendhat J at 40: “There is a claim for an account of profits which, it is alleged, Google Inc made as a result of the misuse of each of the Claimant’s private information…”.

At first sight this seems innocuous. Of course there is no reason why accounting for profit should not, as a free-standing equitable remedy (indeed one quite popular with the Googles of this world in IPR infringement and e-commerce disputes generally) be applied by this tort.

That said, while of little legal interest (and ignored by the upper court as irrelevant to its deliberations), the possibility for accounting for profit may have a devastating strategic commercial effect on Big Data projects past, present, and future in any re-identification context. By that I mean business intelligence or any other projects that seek to aggregate from different sources data about individuals/consumers. The reason is that accounting for profit by definition will not only eliminate profit made by any such unlawful project. By creating an additional and substantial cost, the forensic accounting exercise itself, it may render loss-making any project in relation to which consumers successfully pursue a action, either in substantial numbers or as a class action. In turn any ability to remain competitive, of any companies running what in hindsight are unlawful projects, or even to continue to exist where unlawfully processed Big Data is the company’s raison d’etre, may be severely compromised.

If that is right and such remedy is sustained, by automatically confiscating any profit this remedy alone would tend to destroy cost-benefit analyses for any and all Big Data analytics projects contemplating unlawful re-identification of English consumers anywhere in the world. In turn that reverses the economics of compliance: the traditional “we’ll just pay the damages/fine and move on” may no longer be viable.

Other issues arising from equity

In any event, as an equitable remedy, interesting issues are raised by accounting of profit. Normally plaintiffs cannot simultaneously claim damages and equitable reliefs from the same cause of action, except in the alternative. However in this instances plaintiffs theoretically need not forgo a right to general damages, now that the same Court has struck down s.13(2) Data Protection Act 1998. Specifically, s.10 can secure injunctive relief, while s.13 now can secure general as well as special damages under the statutory provisions rather than common law, which would free the tort of misuse of private information to furnish the remedy of accounting for profit. For avoidance of doubt that’s entirely theoretical, I can’t see Courts going for the “double”in respect of special damages – although general damages may be open. Regardless, it does facilitate flexible remedy-shopping based on plaintiff circumstances, and injunctions will be available whether damages or accounting is claimed.

This is early days yet. But it seems the times we live in have suddenly become even more interesting.

Disclaimer: nothing said above is legal advice.

Re-identification gets better – or worse. Again.

First there was re-identification associated with Apple’s iPhone trackinghttp://www.theguardian.com/technology/2011/apr/20/iphone-tracking-prompts-privacy-fears , which could be defeated (except for Apple itself and the security services) by disabling the external location feed capability on the iPhone. As I did.

Then (quite distinct from the Google-Apple problem http://www.theguardian.com/technology/2013/jan/29/google-group-privacy-claim-iphone-tracking) there was re-identification based on other things such as credit card transactions combined with social media usage:http://www.theregister.co.uk/2015/01/30/a_docket_tweet_and_selfie_can_reveal_your_identity_boffins_find/

Which could be defeated (with the same caveats) by disabling web access, not using social media, and (if you’re feeling paranoid) switching off the phone. As I did last year, all but switching off.

In fairness I did have an alternative, immediately compelling reason – my phone was remotely hacked and an email account, which included privileged lawyer-client information, behaved very strangely for a few hours. As I inferred it was actively compromised, presumably by reading my email account IP, username and password directly off the iPhone, I changed the password immediately after disabling non-voice data access on the phone, and my account returned to normal. (I never had solid evidence to prove the identity of the likely hacker, but they’re well known for targeting much more senior lawyers involved in active cases, and just at that time they had specific reasons for interest in me…). I mention this in case others (especially lawyers) don’t realize that the convenience of your email-by-phone might be offset by the potential vulnerability of your email account login details being accessible to skip-tracers or more focused hacking operations. I don’t actually know the Apple tech or other phone tech associated with securing data passwords on the sim (or phone) from hackers who get read-access to the sim (or phone), so please comment if any of this is wrong and I’ll correct it asap)

(the stop-gap solution for lawyers ultimately is basic security compartmentalization, just as if minimizing impact of theft. If you must have email-by-phone access, ideally make it a personal not business account; try to minimize any confidential traffic from your firm or clients; and delete ASAP any confidential traffic that you do get to minimize any potential impact from subsequent breach. As for any confidential material you really need to access on the move, I suggest the better solution is to minimize vulnerability by doing it with your laptop from wi-fi hotpoints rather than from your phone…)

But I digress. The problem here is that soon we might not be able to defeat Big Data reidentification based on say, your credit card purchases and phone location, even by switching the phone off: http://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-wants-to-track-iphones–even-when-theyre-turned-off-10066378.html

Oddly, I thought the security services could already poll zombie phones so long as the sim-card is connected up to a battery. By inference then, either (a) my information was wrong (my own telecom IT experiences are too far in the past to assist); (b) it only ever applied to some manufacturers; or (c) they can do it but the relevant manufacturers aren’t allowed to comment.

Either way, this new commercial zombie-phone scenario wouldn’t be such a problem for re-identification, so long as only the security services would get to see the relevant data. But if Apple is patenting the technique, presumably it’ll make it available to anyone to whom Apple sells the data (or of course to anyone managing to hack Apple). I don’t want to switch my phone off whenever I go to an ATM or make a credit card purchase: still less do I wish to disassemble the damn thing every time.

Bottom line: if you want to purchase on credit anything you don’t want others to find out about, such as the name and specialty of your doctor and how much she charges for her incontinence/herpes/gyno/whatever services, don’t carry any Internet of Things device with you when you purchase. Oh, and check that your latest and greatest replacement credit card itself is not an IoT device…

Feedback welcome – if anyone dislikes it, I appreciate constructive criticism and will amend with thanks.

(first published here)

Privacy versus security – which is more important to the business?

An IT security guru published an article today (in comity I do not provide a link). No surprise there. What surprised me is that I thought he put in a very creditable effort to grasp the point about privacy. Unfortunately he still missed by a mile. Not his fault, he’s an IT guy. At least he tried.

I think we need to consider not only the marginally novel idea that privacy and security are distinct concepts (which most people are beginning to grasp), but also the definitely novel idea that they actually ought to be treated as distinct (which few people get). This is a management problem: management might consider getting a grip and stop dumping both privacy and security on IT as Cinderellas. IT, having a hammer, naturally thinks the universe consists of nails and acts accordingly – so both privacy and security are suddenly both IT security issues. Not their concern (nor their fault) that in much data privacy law security is a minor, sometimes near-irrelevant component. Additionally, the phrase “data protection” is most unhelpful, confusing IT geeks and (too many) lawyers alike into thinking it’s all about protection of data, rather than protection of privacy.

To put this in perspective, look at the looming EU General Data Protection Regulation. Why not do a Mythbusters textual analysis of IT/data security within GDPR? I’ve actually done a quick scan-count of the number of Recitals and Articles (May 2014 draft) that deal with security (yes of course I know you’re all thinking either “he doesn’t get out much” or “how sad is that?”). Anyway, here are my un-audited figures:

– Out of circa 140 Recitals, one deals directly with security (plus 3 contain drive-by references)

– Out of circa 80 Articles, one deals directly with security (likewise 7 contain honorable mentions)

Those figures speak for themselves (even if I missed anything). So think of it at best as a duality: to put it in simple terms, security is what you do to try to keep the bad guys out; privacy is (*in part*) what you do as damage control – before the horse bolts rather than afterwards. Or, perhaps, think of it in terms of old-fashioned risk concepts. To put it in risk-speak, security is about minimizing probability, while privacy is about minimizing or, better, eliminating impact. That’s by no means the whole story about privacy, but at least it puts it side by side with security in context. (Edit: In fairness security is not a subset of privacy any more than privacy is a subset of security – thanks Tero!)

Sadly I have more bad news: sometimes only privacy is in play. It’s hardly surprising data security often totally fails to stop data privacy breaches. If you accept their status as distinct domains, this pretty much can be deduced a priori as a matter of logic. That’s why there are frequent data breach scenarios in which there is no conceivable connection to data security in the enterprise. For example the security risk of sold or “shared” data drops to zero once you’ve sold or “shared” it. Think about it. That’s the precise moment the business, by executing the same data transfer, has also maximized its data privacy risk.

Likewise we need to expand our risk assessments to cover private as well as public risk. It doesn’t matter that you’ve trying to cover off your public risk with BCRs, SCCs, the Orwellian bad-taste Safe Harbor joke, or whatever. You know, I know, everyone knows, you mostly do that stuff only to keep the regulators happy, or to get your customers thinking that the regulators are happy.

But what makes you think that navel-gazing / box-ticking will protect you from liability in tort? If third parties commit crimes or data breaches as a result of say a transfer, you still may have private risk to come back and bite you on your perfectly “compliant” posterior. And not just the torts your General Counsel will know. Common law torts (and occasionally statutory torts) applicable in any forum in which the local Courts will accept jurisdiction will do very nicely, thank you.

For example (one of many), take everyone’s latest favorite disaster du jour, the Lenovo-Superfish-Komodia fiasco. I might be contemplating my very own personal class action, starting with me as first plaintiff. Yes of course I know it’s already being litigated, but there may well be alternative or complementary litigation available to a desperate or cynical plaintiff such as myself. For instance, the ancient but recently redefined economic tort of “unlawful means conspiracy” might (or might not) fit like a glove. Again, this is just one example, but it’s a fun one for legal geeks. It may not matter that you acted in good faith. It may not matter that a third or fourth party did all the damage. It may not even matter that that was your best legal advice. You see, unlawful means conspiracy doesn’t use the ordinary meaning of “conspiracy”. Acting in concert to do something that (even unbeknownst to you and your lawyers) happens to be unlawful (as well as a necessary pre-requisite of the harm and some other factors) might just satisfy the judge, no matter how much you annoy her by throwing your Data Protection Seals (I’m looking at you, Redmond) or your BCRs or SCCs or a blizzard of DoC Unsafe Harbor registrations at her.

It’s primarily an English tort, you say? Sure (though it’s spreading a bit), but I myself bought my infected Lenovo machine (ok I cleaned it myself almost immediately, but that’s not the point of this parable) seven weeks ago in a bricks ‘n mortar English store. One solid strike. And I’m resident in England and Wales. Another strike. Lenovo might even have an office or agent here (I haven’t bothered to find out, the store has seductively deep pockets anyway so who cares who pays, but I imagine by now you’ve spotted a pattern). Yep, the English courts just might (or might not) accept jurisdiction and, more importantly, might (or might not) think that English law is the proper law to be applied to the tortfeasor. So wheel in the tort. Class action, anyone?

(for avoidance of doubt I’m not soliciting, I don’t do mass torts so please don’t write to me with one of those “I know my rights” plaintiff begging letters)

Interim inference for risk management: no matter how “perfect” your “probability” management, aka your security, it’s not working is it? (If you disagree, I respectfully suggest you’re having a Clint Eastwood moment: do you feel lucky?) So, as a last resort, why don’t we start focusing on “impact” management – non-reversible pseudonymization etc etc etc instead? Take privacy seriously at last? This is hardly rocket science, is it? Sure it impacts the bottom line value of your data sales to people, but (crunching one of the GDPR numbers) as much as say 1-5% of world-wide turnover?

One final point: don’t automatically assume your legal insurers will cover you for the next $10-100 million claim against you, especially for new subject matter. The satellite litigation between disappointed class action defendants and their insurers supplies some of the most entertaining case law around…

So: sound-bite answers to the title question of privacy v security? Both are important; they’re ontologically distinct; don’t confuse them.

(oh and chuck out all your “old-school” – I’m being polite – best-practice voodoo risk “assessments”, assuming they’re the ones that contain meaningless magic numbers calculated from other meaningless magic numbers using arbitrary methodologically unsound algorithms plucked out of somebody’s best-practice behind, and start focusing on quantifiable monetized impact risk – but I think that would be a topic for an hypothetical other time)

All feedback welcome (especially from “dislikers”, if you feel able to explain your position). Though I have some latitude from being in the IT camp as well, I sincerely apologize to anyone I inadvertently may have offended in anything said above.

Nothing said above is legal advice and it may not be relied upon by any person for any purpose whatsoever.

(First published here)

Article 29 Working Party: The Song

In tribute to the Article 29 Working Party and their excellent Opinions. Adapted (with apologies!) from Old Man River.

Ol’ Workin’ Party,
Dat ol’ Workin’ Party
He mus’know sumpin’
But don’t say nuthin’,
He jes’keeps Opinin’
He keeps on Opinin’ along.

He don’ litigate,
He don’ legislate,
An’ draft Directive?
killed by invective,
But ol’Workin’ Party,
He jes keeps Opinin’along.

You an’me, we sweat an’ strain,
Body all achin’ an’ rack’d wid pain,
File dat motion!
Plead dat tort!
Git a little drunk
An’ you’re stuffed in Court.

Ah gits weary
An’ sick of suin’
Ah’m tired of pleadin’
An’ skeered of appearin’,
But ol’ Workin’ Party,
He jes’keeps Opining’ along.

Judges wait fo’ de GDPR,
Lawyers wait while de tortfeasors play,
Pleadin’ dose torts from de dawn to sunset,
Gittin’ no injunction till de Judgment day.

Ol’ Workin’ Party,
Dat ol’ Workin’ Party
He mus’know sumpin’
But don’t say nuthin’,
He jes’keeps Opinin’
He keeps on Opinin’ along.