Posts

MRR Article: Can Europe’s New Privacy Rule Cost My Business Money?

By: Barry M. Miller & Curtis M. Graham

If your business offers goods or services to consumers in the European Union (or tracks information on EU consumers), you must become familiar with the acronym “GDPR.” The “General Data Protection Regulation” goes into effect May 25, 2018. And even if you are confident that your business complies with state or U.S. data-protection principles, that confidence may not be warranted as you face the GDPR.

Your business may already take care to protect information such as a customer’s Social Security number, credit card number, health data, and other personally identifiable information. But the GDPR broadens the definition of personal data that holders must protect. Article 4 of the GDPR defines “personal data” to include “any information relating to an identified or identifiable natural person (‘data subject’)” relating to the “physiological, genetic, mental, economic, cultural or social identity of that natural person.” Information about a person’s race or ethnicity, religious affiliation (or non-affiliation), political leanings, or sexual orientation would fall within this definition.

How does the GDPR impose obligations on American businesses in the first place? Its drafters intend the regulation to apply to anyone who processes the personal data of an EU resident—even if the processing is not done in the EU. Whether that intended reach can be enforced against an American business will be the subject of litigation, both here and in the EU. But as of now, the EU intends to subject data processors to fines of the greater of 20 million euros, or up to four percent of the processor’s annual global revenue. Even if your company is one of the forward-thinking ones, with cyber liability insurance in place, whether such policies cover fines imposed for a breach of the GDPR is something else to be litigated in coming years.

Rita Heimes, who holds the Certified Information Privacy Professional (CIPP) designation under both European and U.S. law (as well as the CIPM credential, for those who manage privacy programs), describes a “core value” of the GDPR: “Natural persons should have control over their own personal data.” She contrasts this with the U.S.-centric view that data, once collected, belongs to the collector. “This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.”

Mike Mandato, of Calyx IT in Cleveland, points out that businesses must carry this mindset through the entire life cycle of data, including data that may not pertain to active transactions—data businesses that businesses might think of as “on file,” but what information technology professionals call “at rest” data. The GDPR gives EU consumers the right to request that their data be removed from a data controller’s systems. This may require businesses to rethink their backup strategy, email and record retention policies, and any other in-house systems that hold “at rest” data. Mandato views this as a mixed blessing: “It is a good opportunity to fine tune security measures and data integrity within a business. But it may present added expense deploying processes and policies to examine data on a periodic basis to maintain compliance.”

What all this means is that companies of all sizes must make a conscious decision whether they want to do business (or continue to do business) with EU residents. They must weigh the potential costs of GDPR-compliance against the amount of business they hope to get from EU consumers. If the potential return is small or non-existent, it may be prudent to forgo that business. If, after weighing the benefits, you decide to retain or pursue business from EU residents, consult your technology vendor, your attorney, and your insurance agent to help you mitigate the potential costs that could follow non-compliance.


For more information, or questions on the topic, please contact Barry Miller at bmiller@mrrlaw.com or Curt Graham at cgraham@mrrlaw.com. Both Barry and Curt focus their practices on Data Management & Cyber Security Law in MRR’s Lexington office.

Barry Miller

Curt Graham

Use of Force During a Medical Emergency: A New Standard from the Sixth Circuit

By: Tami Z. Hannon & Curtis M. Graham

Earlier this year the Sixth Circuit had occasion to address what standard applies to use of force claims in the context of a medical emergency. In Estate of Hill by Hill v. Miracle, 853 F.3d 306 (6th Cir. 2017) a diabetic person filed a 42 U.S.C. § 1983 claim against a law enforcement officer after a taser was used against the plaintiff while he was experiencing a hypoglycemic episode. The plaintiff was agitated toward the responding officer and medical personnel for attempting to treat him and was acting combative and confused. The officer eventually deployed his taser when the plaintiff continued to kick and swing at the paramedics.

The plaintiff alleged that the officer’s decision to use the taser constituted excessive force in violation of his Fourth Amendment rights. He also asserted state law claims of assault, battery and infliction of emotional distress. The officer moved for summary judgment on qualified immunity grounds. This motion was denied by the District Court and the officer then appealed to the Sixth Circuit.

The importance of Miracle is that the Court moved away from the use of force test provided for in Graham v. Connor, 490 U.S. 386 (1989). In Graham, the Supreme Court used a three-factor test to assess the objective reasonableness of an officer’s use of force. Those factors were: (1) the severity of the crime at issue, (2) whether the suspect poses an immediate threat to the safety of the officers or others, and (3) whether he is actively resisting arrest or attempting to evade arrest by flight.

The Miracle Court stated that applying the Graham factors to a medical emergency situation “is equivalent to a baseball player entering the batter’s box with two strikes already against him.” Specifically, because the plaintiff in Miracle had not committed a crime and was not resisting arrest, two of the three Graham factors automatically weighed against the officer. Instead, the Court announced that when the person in question has not committed a crime, is not resisting arrest and is not directly threatening the officer, the court should ask:

(1) Was the person experiencing a medical emergency that rendered him incapable of making a rational decision under circumstances that posed an immediate threat of serious harm to himself or others?

(2) Was some degree of force reasonably necessary to minimize the immediate threat?

(3) Was the force used more than reasonably necessary under the circumstances (i.e., was it excessive)?

If the answers to the first two questions are “yes,” and the answer to the third question is “no,” then the officer is entitled to qualified immunity. Turning to the facts of the case at hand, the Court found the plaintiff was experiencing a medical emergency and was not able to make rational decisions due to his condition. Additionally, the officer and paramedics were put in immediate physical danger by the plaintiff’s combative actions and the plaintiff himself would have been in grave danger had the officer done nothing. Finally, the Court found the force used was reasonably necessary due to the fact that four paramedics had been unable to restrain the plaintiff.

The new factors announced in Miracle allow courts to more appropriately evaluate the reasonableness of officers’ actions in light of the (often unpredictable) circumstances they find themselves in. Law enforcement officers should take note of this important decision involving qualified immunity and keep these principles in mind when they are confronted with situations involving medical emergencies. Additionally, departments would be well served to educate their officers on these factors and possibly revise their policies and procedures in light of this notable decision (particularly those relating to officers’ response to aggression). This may require additional training on recognizing medical emergencies. When it comes to minimizing liability exposure, understanding how a court will assess similar cases in the future is a key to success.


Tami Hannon (thannon@mrrlaw.com) is a Partner in MRR’s Cleveland Office and Curt Graham (cgraham@mrrlaw.com) is an Associate in MRR’s Lexington Office. For more info, please  contact MRR via email or call 440.248.7906.


 

Kentucky’s Court of Appeals Says Jail Surveillance Video Should be Made Part of Administrative Record

The Kentucky Court of Appeals recently issued a decision addressing the type of evidence that should be presented in a jail disciplinary proceeding. In Lawless v. Conover, 2015-CA-000039-MR, 2016 WL 2981580 (Ky. Ct. App. May 20, 2016), an inmate disputed an Adjustment Officer’s (AO) finding that she was guilty of inflicting an injury on a correctional officer. The inmate had requested the AO to view the surveillance camera footage of the incident, because she believed the video supported her version of the events.  Despite finding the inmate guilty of the charge, the AO made no mention of the surveillance footage in her written determination. The inmate subsequently filed suit, challenging the validity of the disciplinary proceeding.

The defendants filed a motion to dismiss the plaintiff’s complaint. In support of that motion, they submitted an affidavit from the AO which stated that, although she had reviewed the video, her finding was not based on it. The case was dismissed by the trial court, as the Court found the plaintiff had “received due process and there is some evidence in the record to support the findings of the AO.”

The Court of Appeals would ultimately reverse the trial court’s dismissal, noting that “specific holdings of the U.S. Supreme Court necessitate particular treatment of an inmate’s request that the prison tribunal consider exculpatory evidence.” Citing Ramirez v. Nietzel, 424 S.W.3d 911 (Ky. 2014), the Court noted that an adjustment officer conducting a hearing must, if requested by an inmate, review security footage and consider its weight in making a finding of guilt or innocence. Additionally, the hearing officer must indicate in his or her written statement that they undertook a review of the video evidence and state whether it confirms or contradicts the inmate’s version of events. The Court also noted the inmate should have been provided access to the surveillance footage or be given a legitimate explanation as to why she was not. Moreover, the surveillance footage should have been reviewed by the circuit court.

Perhaps most importantly, the Court declared “it is the responsibility of the state agency (here, the Department of Corrections) to prepare a record for filing with the circuit court before that court declares the prisoner’s rights.” In other words, the Department of Corrections was required to submit the surveillance footage to the Court. For these reasons, the lower court’s dismissal of the inmate’s lawsuit was reversed, and the Department of Corrections was required to make the surveillance video available for the circuit court’s consideration.

Officials in Kentucky responsible for inmate discipline would be well served to take note of this important opinion. For any questions about the implications of the Lawless or Ramirez decisions or evidentiary issues related to jail discipline in general, please contact the attorneys at Mazanec, Raskin & Ryder Co., L.P.A.


Curtis M. Graham

 

 

Curtis M. Graham
859.899.8516
cgraham@mrrlaw.com

Save

Save

Save

Save

Drones and Law Enforcement – The Future is Now

By: Curtis M. Graham, Esq.

Nowadays it is not uncommon to look up into the sky and see a drone flying overhead. Everyone seems to have one. The rise (pun intended) of unmanned aerial vehicles (“UAVs”) presents interesting questions for law enforcement officials across the country. Some are responding to criminal complaints, as was the case when a University of Kentucky student was charged with second degree wanton endangerment after flying his drone into Commonwealth Stadium prior to a football game last fall. Others are utilizing UAVs to conduct their own search and rescues.

The Somerset Police Department in Kentucky is believed to be the first police department in Kentucky to use an UAV. The Department has received training from the Federal Aviation Administration (FAA) and has created policies and procedures governing the device’s operation. One Department official commented that they are required to notify air traffic controllers at least 30 minutes before any flight and that they cannot fly higher than 400 feet above ground level. Additionally, officials must maintain visual contact with the drone at all times while it is in flight and all pilots must be FAA certified.

But the law is unsettled, and the Kentucky legislature will soon hear House Bill 22 which could prohibit the use of evidence obtained by drones in criminal trials. Additionally, law enforcement agencies using drones would be required to use the drone “in a manner to collect data only on the target and minimize data collection on individuals, homes, or areas other than the target.” The proposed title for the law is the Citizens’ Freedom from Unwarranted Surveillance Act.

Kentucky is not the only state confronting these issues. According to the National Conference of State Legislatures, 45 states considered at least 156 bills relating to drones in 2015. Needless to say the law in this area is rapidly changing, and it is important for law enforcement officials to stay current on the state of the laws governing drone use.


For questions or more information on “Drones and Law Enforcement – The Future is Now,” contact:


Curtis M. Graham  – MRR Lexington
Phone: 859.899.8516
Fax: 859.899.8498
Email: cgraham@mrrlaw.com

Getting Social – How Law Enforcement Can (And Should) Be Using Social Media

By: Curtis M. Graham, Esq.

There is no question that social networking websites have changed the way we live and connect. These sites have also presented opportunities and challenges for law enforcement departments around the country. From community outreach to criminal investigations, it is clear that law enforcement officials have a valuable new tool at their disposal. However, it is critical that they understand how to properly use these sites and avoid common pitfalls.

A recent survey found that Facebook is the most fruitful social network for law enforcement, followed by YouTube. The various social media outlets can be searched when law enforcement officials suspect that a particular individual may be openly boasting about criminal activity or posting incriminating photographs or videos online. Officials may also receive tips through their department’s home page which can then be followed up on. If there is an urgent situation (such as a credible threat of violence), officials may file an emergency request with the site to access information. However, many sites have their own legal teams to review requests and the standard for having such a request granted is very high.

The creation of a sound internal policy is the first step toward using social media to an agency’s benefit. Drafting this policy will require consideration of a number of issues, the most important being compliance with applicable laws and regulations. The logical starting point is the Fourth Amendment, which provides that every person has the right to be free from “unreasonable searches and seizures” of their “persons, houses, papers, and effects.” Officials should be mindful that the degree of Fourth Amendment protection is almost entirely dependent upon the location from which information is seized, the method of its collection and the type of information obtained. Another source of guidance is 28 CFR Part 23, which is a standard for law enforcement agencies that operate federally funded, multijurisdictional criminal intelligence systems. The purpose behind the regulation is to protect individuals’ privacy and constitutional rights during the collection, storage and dissemination of criminal intelligence information.

Each social networking website features its own unique characteristics; this means a one-size-fits-all approach to drafting a policy should be avoided. However, it is always a good idea to be educated about privacy settings and terms-of-service requirements that seem to apply across all platforms. As just one example, photographs that are posted on public, unrestricted profile pages are treated differently than information on pages viewable only by “friends” of the user when it comes to privacy expectations.

With the abundance of information now available online, law enforcement agencies must take steps to ensure that they are following the law when they gather and act on that information. A thorough social media policy can go a long way in achieving that goal.


For questions or more information on “Getting Social – How Law Enforcement Can (And Should) Be Using Social Media,” contact:


Curtis M. Graham  – MRR Lexington
Phone: 859.899.8516
Fax: 859.899.8498
Email: cgraham@mrrlaw.com