In the eyes of the law

EU Data Protection Agencies have been vigorously enforcing violations of regional and national data protection law in recent years against U.S. tech companies but few changes have been made to their business model of exchanging free services for personal data. With the Cambridge Analytica debacle revealing how insufficient American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is not the onerous 99 article regulation to be feared, but rather a creation years ahead of its time. This paper will explain how the differences in U.S. and EU privacy and data protection law and ideology have led to a wide divergence in enforcement actions and what U.S. companies will need to do in order legally process the data of their users in the EU. The failure of U.S. tech companies to fulfill the requirements of the GDPR, which has extraterritorial application and becomes applicable on May 25, 2018, could result in massive fines (up to $4 billion using the example of Google). The GDPR will mandate a completely new business model for these U.S. tech companies that have been operating for well over a decade with very loose restrictions under U.S. law. Will the GDPR be the end of Google and Facebook or will it be embraced as the gold standard of how companies ought to operate?

Working Paper, 25 Rich. J. L. & Tech. 1, forthcoming 2018

Since a budget squeeze seven years ago, the Internal Revenue Service increasingly has relied on data analytics to meet its growing responsibilities. Drawing on large datasets and social media, the agency touts its advanced analytics program as helping to recover millions of dollars lost to tax fraud and errors. However, the use of this data is a direct violation of our privacy rights, breaching several federal statutes designed to prevent government intrusion — something the IRS fails to acknowledge and disclose. We need to bring our laws up to speed with our technology, in order increase accountability, transparency and oversight — bringing the IRS in line with American values of privacy and due process.

According to information obtained by the American Civil Liberties Union, the IRS has violated the Electronic Communications Privacy Act and legal precedent by obtaining electronic communications without a warrant. This practice, authorized in the IRS audit manual, contradicts the 2010 U.S. v. Warshak ruling, which reaffirmed citizens have a reasonable expectation of privacy in their emails, and the government needs a warrant to obtain them. The IRS agreed in a Senate hearing to cease reviewing emails but said nothing about texts and social media.

Taxpayers are largely oblivious to the ability of institutions such as the IRS to peer into our lives without our knowledge or permission. Two decades after the internet arrived in force on our desktops, and a decade after the arrival of the smartphone, most people are unaware of the IRS’s activities.

People post on social media sites, enter their credit card information online, and routinely answer questions to get to the page they seek without understanding the terms of use and privacy policies that govern such activities.

What rules we do have clearly are intended to protect our privacy. The Privacy Act of 1974, for example, requires government agencies to comply with fair information practices. At a minimum, the law mandates that citizens be informed when the government collects data on them and that they should be given the chance to review and correct the information.

When he introduced the act, U.S. Sen. Sam Ervin said, “The appetite of government and private organizations for information about individuals threatens to usurp the right to privacy, which I have long felt to be among the most basic of our civil liberties as a free people.” At the time, a five-ton supercomputer had 1/1,000^th the computing power of an iPhone. Even then, Ervin worried that computers facilitated a “thousand-fold increase in the ability of the government to store and disseminate information” on individuals.

The IRS’s computer power is now measured in petabytes — quadrillions of bits of information. Its predictive algorithms can audit, track and analyze the internet lives of most every taxpayer. Like so much mislabeled junk mail, this data easily could be flawed. According to my research, published in the Vanderbilt Journal of Entertainment and Technology Law, the algorithms could be extrapolating from false assumptions to discriminate against entire groups of people.

The service rarely discusses this. Its Analytics Department is buried in the IRS web pages. It safeguards its own privacy by claiming that revealing its analytics program and algorithms will help tax cheats game the system or undermine law enforcement. The agency should be transparent about what types of information it collects, and give taxpayers a chance to review and correct errors — federal law states this.

At a minimum, Congress can do a better job of getting up to speed on technology and its power to undermine our democratic values. Laws that were created prior to the internet and social media need to be updated. We need some sort of independent review body that can investigate, monitor and ensure that the IRS’s analytics program not only complies with the letter but also the spirit of privacy law.

We need a tax agency that operates more in the spirit of government by and for the people, not against them. Surely, we can do better.

Published at http://thehill.com/opinion/finance/369792-irs-violating-privacy-laws-must-do-better

THE USE OF BIG DATA ANALYTICS BY THE IRS:
EFFICIENT SOLUTION OR THE END OF PRIVACY AS WE KNOW IT

While many express concerns about private industry’s analytics programs which amass browsing and spending information, few seem to be aware of the government’s involvement in big data and predictive analytics. As the government has a lot more control over your rights and obligations, it would seem that this activity should be reviewed and monitored.

In a paper published last year, we examine the privacy issues resulting from the IRS’s big data analytics program as well as the potential violations of federal law. Although historically, the IRS chose tax returns to audit based on internal mathematical mistakes or mismatches with third party reports (such as W-2s), the IRS is now engaging in data mining of public and commercial data pools (including social media) and creating highly detailed profiles of taxpayers upon which to run data analytics. We argue that current IRS practices, mostly unknown to the general public are violating fair information practices. This lack of transparency and accountability not only violates federal law regarding the government’s data collection activities and use of predictive algorithms, but may also result in discrimination. While the potential efficiencies that big data analytics provides may appear to be a panacea for the IRS’s budget woes, unchecked, these activities are a significant threat to privacy. Other concerns regarding the IRS’s entrée into big data are raised including the potential for political targeting, data breaches, and the misuse of such information. This article is intended to bring attention to these privacy concerns and contribute to the academic and policy discussions about the risks presented by the IRS’s data collection, mining and analytics activities.

Houser, Kimberly A. and Sanders, Debra, The Use of Big Data Analytics by the IRS: Efficient Solution or the End of Privacy as We Know it? (March 29, 2017). Vanderbilt Journal of Entertainment & Technology Law, Vol. 19, No. 4, 2017. Available at SSRN: https://ssrn.com/abstract=2943002

One of the main issues with federal marijuana policy is that it is completely inconsistent and unpredictable. In my last post I opined that Obama might tackle this issue prior to leaving office. Unfortunately, his failure to act has made the situation worse with our new AG, Jeff Sessions. Sessions has spouted a number of unsubstantiated claims regarding marijuana and has indicated that he could act to repeal the Cole Memo and to influence Congress to halt the extension of the Rohrabacher-Blumenauer (f/k/a Rohrabacher–Farr) amendment which was passed in 2014 and has been renewed annually ever since. This amendment protects medical marijuana patients complying with state law from prosecution by federal authorities. His position is at odds with the 90% of Americans who wish to see, at the very least, medical marijuana legalized. There are many who recognize that the placement of marijuana on Schedule 1 of the Controlled Substances Act (classifying marijuana as a dangerous drug on par with heroin and methamphetamines) is causing more harm than good: significant harm to those serving time for minor drug offenses, for those who wish to research its effects, and certainly making it difficult for patients with a variety of ailments from obtaining it. With respect to businesses engaged in the state-legal sale of marijuana for recreational purposes, it is not widely known that they are unable to deduct their business expenses, unlike most other businesses which are illegal at the federal level. In other words, if you run a prostitution ring or dog-fighting operation, you are permitted to deduct your rent, utilities and employment expenses. If you run a state-legal marijuana shop you must pay federal taxes on your gross income minus only the cost of goods sold due to the language in IRC 280E. This bizarre treatment is discussed in my article Marijuana Business and Sec. 280E: Potential Pitfalls for Clients and Advisers, The Tax Adviser, 46-7, 524-533 (2015) with co-author Jeffrey Gramlich. While state-legal businesses struggle with tax, banking, and the potential for a federal crackdown, states’ rights are being trampled on. In my article What Inconsistent Federal Policy Means for Marijuana Business Owners: Washington’s I-502 and the Federal Controlled Substances Act, GULR (2014/15) 50-3, 305-335, I discuss the myriad of issues that state-legal marijuana businesses face and how the federal regulation of marijuana flies in the face of the intent of our forefather’s stance on state police powers.

Yesterday, former Attorney General, Eric Holder, stated on Frontline that it is time to reschedule marijuana. While I would recommend descheduling marijuana, as I mention in several articles that I have written on the topic, this is a really important change from his statements during his tenure as AG. Because Holder may have some influence in the White House, it is possible that this issue could be addressed by the President before the next election.

I have to admire a Judge who treats everyone the same. This Judge in Michigan has a strict no cell phone policy in his courtroom. When his cell phone rang during a trial (because he failed to turn it off), he fined himself $25 which he promptly paid. I admire integrity and am especially proud when I hear of someone in the legal profession demonstrating it.

http://www.abajournal.com/news/article/oops._judge_holds_himself_in_contempt_when_his_own_cellphone_rings_during/?utm_source=feedburner&utm_medium=feed&utm_campaign=ABA+Journal+Top+Stories

The Supreme Court recently heard oral arguments in the case of Missouri v. McNeeley, No. 11-1425. At issue was whether or not the police must obtain a warrant prior to drawing blood from a person suspected of driving while under the influence of alcohol. McNeeley was pulled over for speeding and failed the field sobriety test. After refusing the breathalyzer, McNeeley was taken to the hospital where after refusing to allow his blood to be drawn, had the blood forcibly taken from his body. The trial court threw out the evidence from the blood test as being an unreasonable seizure in violation of the Fourth Amendment. The state appealed to the US Supreme Court asking that it declare that there is no need to obtain a warrant to draw blood. (Current law permits the drawing of blood without consent and without a warrant when alcohol is suspected after an accident with injuries). The state is asking for an extension of this rule to apply even when there is not an “exigent circumstance” such as an injury accident.

The state’s request is an example of everything that is wrong with our government today. I think reasonable people would agree that sticking a needle into your arm and forcibly withdrawing blood to be evaluated with the results being used against you in a criminal trial is not only an unreasonable seizure but would also violated your Fifth Amendment right against self-incrimination. When you read dystopian novels popular in the early 1900s and again today, the cause the dystopianism is always government intrusion on individual’s rights.[i]

Although I do not agree that there are any circumstances which should permit the government to forcibly take your bodily fluids to be used against you in a criminal prosecution without first obtaining a warrant, I am especially concerned that a state would feel comfortable asking to be able to conduct this type of activity without regard to the Constitution. As our rights continue to erode through the unchecked increase in government intrusion into our lives, we have to ask ourselves, when will enough be enough?

Employers Beware: What you need to know before checking the applicants Facebook page
As tempting as it may be to check an applicant’s Facebook profile as part of the screening process, there are some legal issues you should be aware of prior to doing so. First of all, a Facebook profile includes more than just work-related information. It could contain information about a person’s age, religion, race, national origin, sexual orientation, and associations. Making yourself privy to such information prior to hiring someone puts you at risk for a discrimination claim. If you wouldn’t ask for this information during an interview, you probably shouldn’t be collecting it from a social media site. If you are only checking Facebook profiles of those applicants who have profiles, you are treating your applicants differently. The overabundance of personal information on one candidate may cloud your judgment where it is not an issue with the candidate who does not have a profile. Facebook recently indicated that asking for a user’s password is a violation of Facebook’s Statement of Rights and Responsibilities. There are also several U.S. states that are considering legislation that would ban this practice.
With the proliferation of social media sites such as blogs, Facebook, and LinkedIn, and their increasing prominence in the business realm, it is not surprising that employers have begun to access the information posted on these sites in the course of conducting background checks on prospective employees. It is not a good practice, however.