E-Commerce Law Week, Issue 504

Ninth Circuit Upholds Suspicionless Searches of Laptops at the Border

The Ninth Circuit has held that government agents may search laptops and other electronic devices at the border (including Customs control at airports) even without any suspicion that a crime has been committed.   As we previously reported, a federal district court in California had ruled that Customs officers had no basis for suspecting a crime when they searched Michael Arnold's laptop at LAX and found child pornography, and therefore could not use the results of that search in prosecuting Arnold.  The lower court had reasoned that electronic storage devices "function as an extension of our own memory," and that the laptop search was analogous to a "strip or body cavity search" and was thus "an intrusion into ... dignity and privacy interests."  The Ninth Circuit, in United States v. Arnold, disagreed, relying on Supreme Court precedent establishing that a person's expectation of privacy is far lower at the border than inside the country.  The Ninth Circuit also reasoned that the search of a "piece of property … simply does not implicate the same 'dignity and privacy' concerns as 'highly intrusive searches of the person,'" citing the Supreme Court's ruling in United States v. Flores-Montano.  This ruling suggests that privacy-conscious travelers might want to encrypt any sensitive information on their laptops or email it to their destination (though these options are not completely without risk either).

When It Comes to Internet Privacy, " Trenton Makes -- The World Takes"

The unofficial motto of New Jersey's capital once referred to Trenton's manufacturing prowess.  But one day it might refer to the leading role the New Jersey Supreme Court played in creating privacy rights for Internet users.  In State of New Jersey v. Shirley Reid, that court recently held that the New Jersey Constitution "protects an individual's privacy interest in the subscriber information he or she provides to an Internet service provider" even if the Fourth Amendment to the U.S. Constitution does not.  The court found that "disclosure to a third party provider, as an essential step to obtaining service altogether, does not upend the privacy interest at stake."  Accordingly, it upheld a lower court's ruling that subscriber information obtained from an ISP using an invalid subpoena must be suppressed.  This ruling stands in marked contrast to federal court rulings that people generally do not have a constitutionally protected privacy interest in information voluntarily turned over to third parties such as ISPs.  The New Jersey ruling thus could be seen as an important milestone in the development of greater privacy protections for Internet users.  The immediate practical impact of the ruling, however, is somewhat limited, since the court also ruled that the government could reacquire the subscriber information by serving a "proper" subpoena on the ISP. 

Will Breach Notification Visit the Land Down Under?

Data breaches continue to be a major concern for governments worldwide, with notification requirements increasingly at the top of the agenda.  Last month, Australia's Office of the Privacy Commissioner released draft voluntary guidelines for responding to data breaches.  The guidelines were informed by guidance promulgated last year in Canada and New Zealand, which we covered in previous reports, and cover breach prevention, containment, risk assessment, and notification.  Regarding notification, the guidelines suggest that organizations consider the risk of harm posed by a breach when deciding whether to notify individuals.  While the Office pointed out that the Australian Privacy Act 1988 does not yet "specifically require" breach notification, it noted that, in "certain circumstances," breach notification can be a "good privacy practice."  The Office claimed that notification can empower individuals, demonstrate "openness about privacy practices," serve as "a reasonable security safeguard," encourage "consumer trust and confidence," and "provide a strong market incentive for … organisations to adequately secure … personal information."  Citing these benefits, the Office also expressed support for "the introduction of an appropriate mandatory information security breach notification requirement for agencies and organisations."  Public comments on the draft Australian guidelines are due by June 16.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.