State wiretap law does not prevent hospitals from tracking patients on the web and selling their data, the Massachusetts Supreme Judicial Court ruled last week.
The plaintiff is a patient at two hospitals in the Beth Israel Lahey Health network. As the court explained the facts, the plaintiff "reviewed information available to the public on the hospitals' websites regarding doctors (including their credentials and backgrounds) and medical symptoms, conditions, and procedures." Without her consent, the hospitals shared the plaintiff's browsing data with third parties to generate revenue from targeted advertising.
The plaintiff sued under state wiretap law and got some traction in the lower courts, where the theory has bubbled up in other cases, too. The high court ended the trend, though, ruling that the state wiretap law, which threatens criminal penalties such as imprisonment, while reaching interpersonal communications such as telephone calls and email and text exchanges, was not intended to reach persons' interactions with websites.
The 47-page majority opinion by Justice Scott L. Kafker, drew a vigorous and almost as lengthy dissent from Justice Dalila Argaez Wendlandt, who accused the hospitals of lying to patients in their pledges of confidentiality and argued that the alleged misconduct falls squarely within legislative intent in prohibiting the interception of electronic communication.
I won't belabor the back and forth, as ample commentary already has been published about the case (e.g., JD Supra, Commonwealth Beacon, Bloomberg, National Law Review, Law360 (subscription), Massachusetts Lawyers Weekly (subscription)), and there is plenty more to come. Rather, I will comment only that the decision reflects the sorry state of privacy law in the United States.
The majority and dissent both make defensible arguments. I come down with the dissent on the technical merits of what the wiretap law was designed to prevent, i.e. "the spirit of the law," regardless of whether the legislature could have foreseen web surveillance. At the same time, the majority is right that the legislature likely would not have wanted to imprison every actor engaging in the kind of web surveillance that has become pervasive in our online society.
The missing link between the two positions is the meaningful data protection law that the United States still doesn't have, and which Americans want and expect, while almost three decades have passed since the European Union Data Protection Directive. The later General Data Protection Regulation (GDPR) has been in force for six years.
Wiretap law was once the stuff of political intrigue, Ã la Watergate. The Massachusetts statute characteristically dates to the 1960s. Just as the advent of the internet made media law again hotly relevant to society, so wiretap law found new life in the electronic era. Courts had little difficulty transposing the law of wired telephone surveillance to wireless cell phones and electronic communication media such as email and texts. Even the U.S. Supreme Court got in on the action.
That's why I think Wendlandt has the better argument on the technical merits, by the way. The majority's distinction of interaction with a person or a website, when there are persons receiving surveillance data from the website, seems meaninglessly formalistic.
With electronic communication burgeoning in the internet era and electronic interception easier to accomplish without the need for specialized hardware, wiretap laws have been repurposed to do more work than they were designed for, becoming a key tool in the personal privacy arsenal.
The problem in tort law, to oversimplify modestly, always has been what Professor Daniel Solove termed "the secrecy paradigm." The common law of privacy torts, which also emerged largely in the 1960s, was not designed to handle the nuances of an online world. Rather, tort law, like the Fourth Amendment right against search and seizure, focused on secrets kept. A person might resort to the law to protect an intimate secret shared with a spouse. But the person who discloses financial information to a bank has forfeit legal privacy.
Intimate space is not the theory of privacy that animates data protection in Europe and most of the rest of the world. In the theory abroad, the human right of privacy flows forward with personal data as they are handed off from person to person and corporation to corporation. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) provides a modicum of privacy protection in this vein, but the circumstances in which it pertains are extremely narrow—web activity is not protected health information, and a web host is not a healthcare provider—and it authorizes no private right of action for violation.
In the absence of a legal model of downstream privacy preservation in the United States—notwithstanding a perplexing emerging plethora of competing state laws, if usually limited to commercial contexts; Massachusetts has been working on joining the pack, but has not yet—wiretap law has been unexpectedly instrumental to protect personal privacy in a narrow class of cases, because wiretap law focuses on the misconduct of clandestine surveillance rather than on the purportedly private nature of the intercepted content.
To be fair to the Massachusetts majority, though, such use of anachronistic wiretap law
takes us down a road of ever more speculative application as the electronic avatar increasingly becomes an embodiment of personal
identity. Electronic tools such as Google Analytics watch our every word. And we don't necessarily want to stop that wholesale. The other day, I watched a dated TV movie that Amazon thought I would like, and it was right. Time travel, Ireland, and Jane Seymour? Drop everything.
Notwithstanding which side in the instant case has the better argument in statutory interpretation, the legal response to the problem presented, that is, surveillance of web usage for the relatively innocuous if mercantile purpose of advertising, would arise better from business regulation than from common law or statutory torts.
Alas, if I had the magic potion that would make our broken Congress favor consumer protection over corporate profits, I would be running for President.
The case is Vita v. New England Baptist Hospital, No. SJC-13542 (Mass. Oct. 24, 2024).