This is page 4 of:
NSA Phone Data Grab Raises Frightening Retail Questions. Can Complying With A Lawful Warrant Still Violate A Chain’s Privacy Policy?
If you don’t know the answer to these questions, then you don’t have a strategy for both litigation and customer service. You also don’t really have an effective privacy policy. And the time to write one is not when the NSA is at your doorstep with a FISA court order.
But I Have Immunity, Right? I Was Only Following Orders
So your privacy policy says that you will turn over data in response to court orders or subpoenas. Or maybe in response to “lawful” court orders. Whatever. Years ago, when a previous administration demanded that AT&T provide access to customer data without a warrant (for national security purposes), or when the government made the same demands of airlines for their records, the customers whose privacy was impinged sued. But not the government – they couldn’t sue the government because the government – like the King – has sovereign immunity. So they sued the merchants. Which brings up the next thing. If you ARE going to comply with a subpoena or demand, especially from the government, you want the person demanding the documents to indemnify and hold you harmless for compliance. The reason merchants get sued is both that they have the relationship with the customer, and they don’t have immunity.
In response to the lawsuits, Congress passed a law that gives companies immunity for making “good faith” disclosures of information to the NSA under a warrant. That’s fine if the government demands a small number of records. But where, as in the case of Verizon, the government gets a court order for a database (and not just a record) it’s not clear whether, in good faith, you can or should comply. If the warrant is overbroad or calls for constitutionally protected information (say what customers are reading – Amazon) the warrant may be facially invalid, and you can’t rely on the fact that someone with a robe who is appointed for life by the president signed it. In other words, it’s complicated.
What’s A Merchant To Do?
If the government has a search warrant, and cops with guns, well then step back, get out of the way, and call your lawyers. If they serve a merchant with a court order, demand, subpoena, whatever, well then, step back, get out of the way, and call your lawyers. Just remember that the data sought is YOUR data AND your customers’ data. You are a fiduciary of their interests as much as you are of your own. The essence of privacy is that you collect data for a particular purpose and USE it for that purpose. Once the data is used for another purpose, you break your promise (express or implied) with the data subject. And breaking promises can lead to litigation, and not in a good way.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.