By: Aaron Krowne
In this post we briefly introduce a key aspect of the right to privacy – the reasonable expectation of privacy (“REP”) – and discuss the impact of the recent US Supreme Court decisions in Riley v. California and US v. Wurie on it, with implications for digital information privacy.
The Supreme Court’s recent ruling on July 25, 2014 in the paired cases Riley v. California and United States v. Wurie represents a major development on the REP front. These cases concerned two individuals who had been arrested for relatively minor infractions, yet ended up convinced of major crimes after police searched and made use of information found on their cell phones.
In Riley, a traffic stop for a broken tail light led to a search of the vehicle, and ultimately a search of the driver’s, Riley’s, cell phone. The search of Riley’s phone revealed information that led police to connect him to a recent gang shooting, for which he was convicted. In Wurie, the namesake defendant was witnessed in an apparent street drug sale and was subsequently arrested in a police sting, during which his cell phone was searched. Information on Wurie’s phone led police to his apartment, and when police entered and searched the apartment (Wurie’s girlfriend let them in despite the lack of a warrant) they found a large quantity of drugs, leading to a greatly elevated conviction for Wurie.
Few would argue that Riley and Wurie were not actually guilty of the greater crimes they were connected to based on the information found on their phone; the key question is whether the phone-gleaned evidence was admissible, or if it was inadmissible for being the result of an unreasonable search in violation of the Fourth Amendment. In the face of a shooting and major drug-dealing activity, the Supreme Court surprisingly (to some) said “no” – the evidence was not admissible. The Supreme Court declared that the warrantless searches of cell phones in these cases violated a person’s reasonable expectation of privacy, and that the state’s interest in law enforcement did not trump this expectation.
Much of the debate in these cases (given significant coverage in the opinion) dealt with whether the prevailing rule, from the precedent in US v. Robinson (1973), also applied to Riley and Wurie. In Robinson, the Court found that a search of physical items found on an arrestee (e.g., in a pocket) was permissible under the circumstances of an arrest, and items (or information) discovered this way would generally qualify as admissible evidence to support additional criminal charges. The precedent set in Robinson stood as the general rule, and thus the law of the land, for over 40 years. The prosecution in Riley and Wurie, simply following in this vein, argued that searches of a cell phone were not materially different from searches of physical on-person items during an arrest, and were thus similarly admissible. The Supreme Court vehemently disagreed with this rationale, countering famously:
“[t]hat is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.”
“Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. A conclusion that inspecting the contents of an arrestee’s pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but any extension of that reasoning to digital data has to rest on its own bottom.”
The Supreme Court further explained:
“… The possible intrusion on privacy is not physically limited in the same way when it comes to cell phones… Even the most basic phones that sell for less than $20 might hold photographs, picture messages, text messages, Internet browsing history, a calendar, a thousand-entry phone book, and so on… The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet.”
In sum, the Supreme Court recognized that digital information on a cell phone is so personal and so extensive that there is a significant and reasonable expectation of privacy in that information, as compared to mere physical items one might carrying.
A Strong Signal
Because the decision in Riley was unanimous, the ruling sends an especially strong signal as to where the highest legal doctrine in the land stands regarding REP. Of course, the facts of the cases were limited to warrantless personal electronic device searches by law enforcement during an arrest; but due to the force of unanimity behind the decision and the extensive and clear digital privacy-supporting rationale (just small portions of which were quoted above), the ruling will likely reverberate into other areas of digital information privacy. Further, absent the imminent danger of an arrest, the state interest in breaching privacy is further weakened, implying the Supreme Court’s rationale should apply even more strongly to general (non-arrest) situations. The net effect is that the ruling will likely expand the scope of what is considered REP for digital personal information relative to areas that have been in question in recent years.
Translation To Practice
The Supreme Court’s ruling in Riley provides strong support for a real REP in the voluminous personal information which is now “everywhere” online: in social networks, in “the cloud,” and in corporate databases. This in turn validates consumers’ and the general public’s concern over how that information is used, including attendant issues of:
- how much information is collected, and when;
- how the information is encoded/stored (e.g., anonymized or identifiable);
- who has access to the information (internally or when shared with third parties);
- under what circumstances it is accessed or shared;
- what objective purposes (business or governmental) it can be used for;
- if and when it is disposed of, and how this is carried out;
- how data breaches are handled; and
- how the above policies are formulated and communicated to users.
Of course, these concerns had already begun to find support in state laws and guidelines (e.g., California’s and Florida’s, as well as Canada‘s and other countries effecting US online businesses). But now, the U.S. Supreme Court itself has given powerful voice to them, as well as form to the underlying REP principles, lending greater legitimacy. While this does not mean that every circumstance finds a REP in each trivial bit of consumer data, this development only accelerates the implementation of laws respecting a REP in digital personal information.
For assistance in making sure your polices and practices respect your users’ REP, are compliant with current online privacy laws, and are positioned for the inevitable increase in online privacy laws, be sure to contact one of OlenderFeldman’s certified privacy attorneys today.