Article

Carpenter v. United States Begs for Action

Introduction

The Supreme Court’s decision in Carpenter v. United States1 clearly illustrates that we have been trying to fit a square peg into a round hole for far too long. The 5-4 majority opinion written by Chief Justice Roberts and joined by Justices Ginsburg, Breyer, Sotomayor, and Kagan declined to extend the third-party doctrine to cell-site location information (CSLI), recognizing the “seismic shifts in digital technology” 2 that have taken place since the doctrine arose in the 1970s. The Court, however, did not overturn the doctrine. There were four separate dissenting opinions, highlighting several different issues, including the lack of direction on when to apply what is left of the third-party doctrine. The opinions in Carpenter beg for three major changes concerning data privacy3 and the Fourth Amendment:

the decoupling of data privacy and the Fourth Amendment,

the reconsideration of Katz v. United States,4 and

the adoption of legislation that clearly defines data privacy protection.

Carpenter v. United States

The Carpenter majority handed down a narrow decision, upholding the third-party doctrine that evolved from U.S. v. Miller5 and Smith v. Maryland6 but refusing to extend it to cover CLSI. The doctrine is largely outdated, having emerged in the 1970s before the proliferation of digitized data, massively aggregated data, and sophisticated data collection and analysis.7 The Court held that there is a “world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of information casually collected by wireless carriers today.”8 The Court stated that “[s]uch a chronicle implicates privacy concerns far beyond those considered in Smith and Miller.”

The Court held that “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CLSI.”9 The Court stated that CLSI presents “even greater privacy concerns than the GPS monitoring” 10 considered in United States v. Jones11 because of the constant and perfect surveillance that results. “While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time.”12 The Court discussed the fact that it needs to take account of technology that is already in use as well as that being developed.13 It reiterated Justice Frankfurter’s warning to tread carefully with new technology so as to not “embarrass the future.”14 The Court did not provide a bright-line test for determining the exact reach of the third-party doctrine in future cases.

Four dissenting opinions expressed several varied objections to the Court’s holding, including the absence of a clear test going forward. The primary thrust of Justice Kennedy’s dissent (which was joined by Justices Thomas and Alito) was that Carpenter could assert neither ownership nor possession of the cell phone data records and had no control over nor right to use the records.15 Persons like Carpenter “have no rights to object to the records’ disclosure.”16 He concluded that “[b]ecause the Katz test is a failed experiment, this Court is dutybound to reconsider it.”17

Justice Thomas believed that the case should not turn on whether a search occurred, but rather on whose property was searched—Carpenter “did not create the records, he does not maintain them, he cannot control them, and he cannot destroy them.”18 He stated that the “more fundamental problem with the Court’s opinion, however, is its use of the ‘reasonable expectation of privacy’ test” from Katz.19 “The Katz test has no basis in the text or history of the Fourth Amendment. . . . Until we confront the problems with this test, Katz will continue to distort Fourth Amendment jurisprudence.”20

Justice Alito’s dissent (which was joined by Justice Thomas) focused primarily on two objections: first, that the Court ignored the basic distinction between an actual search and “an order merely requiring a party to look through its own records and produce specified documents,”21 and second, that the Court “allows a defendant to object to the search of a third party’s property.”22 Prior to this decision, there was much speculation about how Justice Alito would approach this case given his previous statements in United States v. Jones expressing concern about how modern technology has impacted privacy.23 In fact, Justice Alito began his dissent: “I share the Court’s concern about the effect of new technology on personal privacy, but I fear that today’s decision will do far more harm than good.”24

Justice Gorsuch’s dissent is probably the most interesting of the opinions—and possibly the most prescient in several regards.25 First, he discussed the advisability of extending the third-party doctrine to the facts in the case. He stated that he was ready to abandon the third-party doctrine completely because it never really made any sense; the “third-party doctrine is not only wrong, but horribly wrong.”26 He does not think the Court has ever provided a persuasive justification for it and did not want to extend it in this case.27

Next, regarding the advisability of setting aside Smith and Miller and just relying on Katz, Justice Gorsuch was concerned about whether the Katz test would be able to provide much guidance: “We still don’t even know what its ‘reasonable expectation of privacy’ test is.”28 If the Katz test is to be conceived as a normative question, why do judges, rather than legislators, have to determine what society should be prepared to recognize as a legitimate expectation of privacy, he asked.29 He quoted Justice Scalia’s oft-cited observation that “‘reasonable expectations of privacy’ come to bear ‘an uncanny resemblance to those expectations of privacy’ shared by Members of this Court.”30 Justice Gorsuch also criticized the Katz test for producing “often unpredictable—and sometimes unbelievable—jurisprudence.”31 In addition to results of Smith and Miller, he discussed Florida v. Riley,32 where a police helicopter hovering 400 feet above a person’s property invaded no reasonable expectation of privacy, and California v. Greenwood,33 which held that people have no reasonable expectation of privacy in garbage they put out for collection—despite the fact that California state law expressly protected a homeowner’s property rights in discarded trash.

Justice Gorsuch criticized the majority for leaving the third-party doctrine intact without providing any clear guidance, other than the fact that the doctrine does not apply to CLSI “(for seven days, anyway),” but does to “a lifetime of bank or phone records.”34 “In the Court’s defense, though, we have arrived at this strange place not because the Court has misunderstood Katz. Far from it. We have arrived here because this is where Katz inevitably leads.”35

Finally, Justice Gorsuch suggested another way to approach the issues in the case:

First, the fact that a third party has access to or possession of your papers and effects does not necessarily eliminate your interest in them. . . . Just because you entrust your data—in some cases, your modern day papers and effects—to a third party may not mean you lose any Fourth Amendment protection in its contents.

Second, I doubt that complete ownership or exclusive control of property is always necessary to the assertion of a Fourth Amendment right. . . . At least some of this Court’s decisions have already suggested that use of technology is functionally compelled by the demands of modern life, and in that way the fact that we store data with third parties may amount to a sort of involuntary bailment too.

Third, positive law may help provide detailed guidance on evolving technologies without resort to judicial intuition. State (or sometimes federal) law often creates rights in both tangible and intangible things. . . . If state legislators or state courts say that a digital record has the attributes that normally make something property, that may supply a sounder basis for judicial decision-making than judicial guesswork about societal expectations.36

Justice Gorsuch stated that the Court must preserve “that degree of privacy against the government that existed when the Fourth Amendment was adopted,” but that this does not mean “protecting only the specific rights known at the founding; it means protecting their modern analogues too.”37 “It seems to me entirely possible a person’s cell-site data could qualify as his papers or effects under existing law.”38 Justice Gorsuch concluded by stating that those interests in cell-site data “might even rise to the level of a property right” but that these arguments were not made by Carpenter in this case—and that he “forfeited perhaps his most promising line of argument.”39

What Needs to Be Done

Most of the challenges faced by the majority opinion in crafting a decision and the concerns about and objections to that decision, as discussed in the various dissenting opinions, are due to the basic flaws in the legal approach now used to provide for data privacy protection. The Carpenter case highlights the problems that plague how we address data privacy protection in our digital world. Three changes, described below, need to take place.

1. Decouple Data Privacy and the Fourth Amendment

In Griswold v. Connecticut, the Supreme Court formally recognized a right to privacy under the United States Constitution, finding it in the penumbras of the Bill of Rights.40 The right of privacy came partially from the First Amendment freedom of association, partially from the Third Amendment prohibition against the quartering of soldiers in private houses, partially from the Fourth Amendment right against unreasonable searches and seizures, and partially from the Fifth Amendment right against self-incrimination.41 Unfortunately, since that time the vast majority of court decisions have attempted to dictate the direction of the right of privacy exclusively under the Fourth Amendment, and, conversely, often dictate the requirements of the Fourth Amendment based upon some notion of privacy. Obviously the two are interrelated and often intertwined, but they do not have to be as mutually dependent upon each other as they have become. Each one has impeded the evolution of the other to some extent. It has become almost impossible to have any discussion about what data privacy protection should be without being hijacked by a discussion of Fourth Amendment jurisprudence. Yes, the Fourth Amendment plays an important role in shaping privacy, but it is not the only source of law that should be involved. As Justice Thomas observed in his dissent, “[a]s the Majority opinion in Katz recognized, the Fourth Amendment ‘cannot be translated into a general constitutional ‘right to privacy,’’ as its protections ‘often have nothing to do with privacy at all.’”42

As discussed below, data privacy rules or statutes need to be enacted as positive law. We should no longer have to rely on vague, unstable, and court-dependent notions of privacy. The results of a case should not simply resemble the views of the judge deciding it. Furthermore, as reflected in some of the arguments made in the Carpenter dissents, Fourth Amendment jurisprudence should not be reliant on a reasonable expectation of privacy standard. It is a difficult standard to apply. Certainly, traditional notions of privacy will often be involved in a Fourth Amendment inquiry, but they need not be derived from and dependent upon Katz and its progeny.

2. Reconsider Katz v. United States

While the decision in the Katz case was correct, the test that evolved from the case has proven to be unworkable and has failed dramatically.43 What makes this even more frustrating is that, as is brilliantly described in the articles by Peter Winn44 and Harvey Schneider,45 cited in the dissent of Justice Thomas,46 the test as interpreted and applied in numerous cases over the years was not what was intended as proposed to and adopted by the Court. For the reasons convincingly presented in those two articles, the Katz test was never supposed to have two prongs, one objective and one subjective—just the one objective test.47 As Orin Kerr illustrated in his article Katz Has Only One Step: The Irrelevance of Subjective Expectations, the vast majority of courts applying the Katz test, or attempting to apply the Katz test, use only the objective part of the test anyway.48

Even if the test had included only the objective prong over the last fifty years, we would likely be, more or less, in the same predicament. That is because of the natural tendency for expectations of privacy to diminish each time some encroachment occurs. Shaun Spencer accurately predicted in 2002 that there would be an inevitable erosion in an expectation-driven conception of privacy.49 Unless there is some positive law—statutes or rules—to combat the erosion, the expectations of privacy will inevitably diminish over time.50

Justice Thomas specifically called for a reconsideration of Katz in his dissent,51 and Justice Roberts specifically noted in the majority opinion that neither of the parties had asked for the Court to reconsider Katz in this case.52 Along with my other two suggestions, the decoupling of data privacy from the Fourth Amendment and the passage of data privacy legislation, this would probably become an easy matter. If data privacy were no longer shackled exclusively to the Fourth Amendment and if there were positive law to instruct a court, the Katz test, as reconstructed, could probably become more straight-forward and useful.

3. Adopt Legislation that Clearly Defines Privacy Data Protection

The United States finally needs to address data privacy protection in a comprehensive fashion, much like the much-discussed and recently effective General Data Protection Rule (GDPR) of the European Union.53 For far too long, the U.S. has employed a sectoral approach to protecting data privacy. It has not worked. As discussed above, Katz’s reasonable expectation of privacy is, in too many situations, approaching zero. Given the ability of modern technology to collect, aggregate, sort and analyze personal data, there needs to be legislation to regulate the use of that data.

With the GDPR having officially become effective on May 25, 2018, the time is ripe.54 Many companies have already altered their data policies to conform, at least in some ways, to the new requirements. Congress needs to finally address this major issue. As illustrated by the mix of Justices and their opinions regarding privacy, this does not appear to be a politically polarizing issue – people on both sides of the aisle are concerned about data privacy protection.

The dissenting opinions of both Justices Alito and Gorsuch beg for legislative action. Justice Gorsuch twice questioned in his dissent why it judges rather than legislators were being asked to make these decisions about data privacy,55 and he clearly called for the introduction of positive law.56 Justice Alito ended his dissent by stating “Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”57 He had similarly discussed this in United States v. Jones, observing:

[C]oncern about new intrusions on privacy may spur the enactment of legislation to protect against these intrusions. This is what ultimately happened with respect to wiretapping. After Katz, Congress did not leave it to the courts to develop a body of Fourth Amendment case law governing that complex subject. Instead, Congress promptly enacted a comprehensive statute.58

Law needs to evolve as society and technology change. Congress needs to sit down and pass long overdue comprehensive legislation that addresses all aspects of data privacy protection. Katz and the Fourth Amendment are not capable of doing that by themselves. Legislation, obviously, would provide for much needed regulation for the collection and use of data and would provide the positive law necessary to avoid the inevitable conflicts between and frequent incompatibility of Katz and the Fourth Amendment.

*  Ernest L. Baskin, Jr. Distinguished Professor of Computer Science and Law, Stetson School of Business and Economics, Mercer University, Atlanta.

1. 138 S. Ct. 2206 (2018).

2. Id. at 2219.

3. It is very difficult to define “privacy.” Over the last fifty years or so, the notion of privacy has been intertwined with the Katz case and its test. While privacy has often been described as including personal autonomy and informational privacy, the latter category has dominated much of the discussion in recent years because of the advancements made in digital technology and the effects it has had on everyday life. What I am discussing in this paper is basically called “data protection” in the European Union. In order to distinguish between and avoid confusion with those rules and in order not to be bogged down by all the possible meanings of “privacy” under U.S. law, I will use the terms “data privacy” or “data privacy protection” in this paper.

4. 389 U.S. 347 (1967).

5. 425 U.S. 435 (1976) (holding that a person has no legitimate expectation of privacy once bank records are voluntarily given to a third party: the bank).

6. 442 U.S. 735 (1979) (holding that there was no legitimate expectation in pen register information used to facilitate the making of phone calls because the customer voluntary provided the information to the phone company).

7. See generally Orin S. Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561 (2009); Peter Ormerod and Lawrence J. Trautman, A Descriptive Analysis of the Fourth Amendment and the Third-Party Doctrine in the Digital Age, 28 Albany L. J. Sci. & Tech. 73 (2018).

8. Carpenter v. United States, 138 S. Ct. 2206, 2210 (2018).

9. Id. at 2217. The Court stated in a footnote that it is “sufficient for our purposes today that accessing seven days of CLSI constitutes a Fourth Amendment search. Id. at 2217 n.3.

10. Id. at 2210.

11. 565 U.S. 400 (2012).

12. Carpenter, 138 S. Ct. at 2218.

13. Id. at 2210.

14. Id. at 2220.

15. Id. at 2224 (Kennedy, J., dissenting).

16. Id. at 2228.

17. Id. at 2246.

18. Id. at 2235 (Thomas, J., dissenting).

19. Id. at 2237.

20. Id.

21. Id. at 2247 (Alito, J., dissenting).

22. Id.

23. In Jones, Justice 1Alito had written in a concurring opinion that “I would analyze the question presented in this case by asking whether respondent’s reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove.” 565 U.S. 400, 419 (2012) (Alito, J., concurring). Presumably, his objections to the majority’s handling of the search in this case outweighed his concerns about privacy.

24. Carpenter, 138 S.Ct. at 2246–47. (Alito, J., dissenting).

25. Id. at 2261 (Gorsuch, J., dissenting).

26. Id. at 2262.

27. Id.

28. Id. at 2265.

29. Id.

30. Id. (quoting from Minnesota v. Carter, 525 U.S. 83, 97 (1998) (Scalia, J., concurring)).

31. Id. at 2266.

32. 488 U.S. 445 (1989).

33. 486 U.S. 35 (1988).

34. Carpenter, 138 S. Ct at 2267 (Gorsuch, J., dissenting).

35. Id.

36. Id. at 2268–70.

37. Id. at 2271.

38. Id. at 2272.

39. Id.

40. 381 U.S. 479 (1965).

41. Id. at 484.

42. Carpenter, 138 S. Ct. at 2240 (Thomas, J., dissenting).

43. See, e.g., Daniel J. Solove, Fourth Amendment Pragmatism, 51 B.C. L. Rev. 1511, 1521 (2010).

44. See generally Peter Winn, Katz and the Origins of the “Reasonable Expectation of Privacy” Test, 40 McGeorge L. Rev. 1 (2009).

45. See generally Harvey A. Schneider, Katz v. United States: The Untold Story, 40 McGeorge L. Rev. 13 (2009).

46. Carpenter, 138 S. Ct. at 2235 (Thomas, J., dissenting).

47. Schneider, supra note 45; Winn, supra note 44.

48. Orin S. Kerr, Katz Has Only One Step: The Irrelevance of Subjective Expectations, 82 U. Chi. L. Rev. 113, 116–22 (2015).

49. Shaun B. Spencer, Reasonable Expectations and the Erosion of Privacy, 39 San Diego L. Rev. 843, 869–90 (2002).

50. See Jordan M. Blanke and Janine S. Hiller, Predictability for Privacy in a Data Driven Government, 20 Minn. J. Law Sci. & Tech. (forthcoming 2018), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3152026.

51. . Carpenter, 138 S. Ct. at 2236 (Thomas, J., dissenting).

52. . Id. at 2214 n.1.

53. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN.

54. California just passed a comprehensive data privacy protection law similar to the GDPR which will take effect on Jan. 1, 2020. California Consumer Privacy Act of 2018, A.B. 375, Reg. Sess. (Cal. 2017–18) (Jun. 28, 2018) at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375. See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (Jun. 28, 2018), .

55. Carpenter, 138 S. Ct. at 2265 (Gorsuch, J., dissenting).

56. Id.

57. Id. at 2261 (Alito, J., dissenting).

58. United States v. Jones, 565 U.S. 400, 427 (2012) (Alito, J., concurring).

Introduction

The Supreme Court’s decision in Carpenter v. United States1 clearly illustrates that we have been trying to fit a square peg into a round hole for far too long. The 5-4 majority opinion written by Chief Justice Roberts and joined by Justices Ginsburg, Breyer, Sotomayor, and Kagan declined to extend the third-party doctrine to cell-site location information (CSLI), recognizing the “seismic shifts in digital technology” 2 that have taken place since the doctrine arose in the 1970s. The Court, however, did not overturn the doctrine. There were four separate dissenting opinions, highlighting several different issues, including the lack of direction on when to apply what is left of the third-party doctrine. The opinions in Carpenter beg for three major changes concerning data privacy3 and the Fourth Amendment:

the decoupling of data privacy and the Fourth Amendment,

the reconsideration of Katz v. United States,4 and

the adoption of legislation that clearly defines data privacy protection.

Carpenter v. United States

The Carpenter majority handed down a narrow decision, upholding the third-party doctrine that evolved from U.S. v. Miller5 and Smith v. Maryland6 but refusing to extend it to cover CLSI. The doctrine is largely outdated, having emerged in the 1970s before the proliferation of digitized data, massively aggregated data, and sophisticated data collection and analysis.7 The Court held that there is a “world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of information casually collected by wireless carriers today.”8 The Court stated that “[s]uch a chronicle implicates privacy concerns far beyond those considered in Smith and Miller.”

The Court held that “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CLSI.”9 The Court stated that CLSI presents “even greater privacy concerns than the GPS monitoring” 10 considered in United States v. Jones11 because of the constant and perfect surveillance that results. “While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time.”12 The Court discussed the fact that it needs to take account of technology that is already in use as well as that being developed.13 It reiterated Justice Frankfurter’s warning to tread carefully with new technology so as to not “embarrass the future.”14 The Court did not provide a bright-line test for determining the exact reach of the third-party doctrine in future cases.

Four dissenting opinions expressed several varied objections to the Court’s holding, including the absence of a clear test going forward. The primary thrust of Justice Kennedy’s dissent (which was joined by Justices Thomas and Alito) was that Carpenter could assert neither ownership nor possession of the cell phone data records and had no control over nor right to use the records.15 Persons like Carpenter “have no rights to object to the records’ disclosure.”16 He concluded that “[b]ecause the Katz test is a failed experiment, this Court is dutybound to reconsider it.”17

Justice Thomas believed that the case should not turn on whether a search occurred, but rather on whose property was searched—Carpenter “did not create the records, he does not maintain them, he cannot control them, and he cannot destroy them.”18 He stated that the “more fundamental problem with the Court’s opinion, however, is its use of the ‘reasonable expectation of privacy’ test” from Katz.19 “The Katz test has no basis in the text or history of the Fourth Amendment. . . . Until we confront the problems with this test, Katz will continue to distort Fourth Amendment jurisprudence.”20

Justice Alito’s dissent (which was joined by Justice Thomas) focused primarily on two objections: first, that the Court ignored the basic distinction between an actual search and “an order merely requiring a party to look through its own records and produce specified documents,”21 and second, that the Court “allows a defendant to object to the search of a third party’s property.”22 Prior to this decision, there was much speculation about how Justice Alito would approach this case given his previous statements in United States v. Jones expressing concern about how modern technology has impacted privacy.23 In fact, Justice Alito began his dissent: “I share the Court’s concern about the effect of new technology on personal privacy, but I fear that today’s decision will do far more harm than good.”24

Justice Gorsuch’s dissent is probably the most interesting of the opinions—and possibly the most prescient in several regards.25 First, he discussed the advisability of extending the third-party doctrine to the facts in the case. He stated that he was ready to abandon the third-party doctrine completely because it never really made any sense; the “third-party doctrine is not only wrong, but horribly wrong.”26 He does not think the Court has ever provided a persuasive justification for it and did not want to extend it in this case.27

Next, regarding the advisability of setting aside Smith and Miller and just relying on Katz, Justice Gorsuch was concerned about whether the Katz test would be able to provide much guidance: “We still don’t even know what its ‘reasonable expectation of privacy’ test is.”28 If the Katz test is to be conceived as a normative question, why do judges, rather than legislators, have to determine what society should be prepared to recognize as a legitimate expectation of privacy, he asked.29 He quoted Justice Scalia’s oft-cited observation that “‘reasonable expectations of privacy’ come to bear ‘an uncanny resemblance to those expectations of privacy’ shared by Members of this Court.”30 Justice Gorsuch also criticized the Katz test for producing “often unpredictable—and sometimes unbelievable—jurisprudence.”31 In addition to results of Smith and Miller, he discussed Florida v. Riley,32 where a police helicopter hovering 400 feet above a person’s property invaded no reasonable expectation of privacy, and California v. Greenwood,33 which held that people have no reasonable expectation of privacy in garbage they put out for collection—despite the fact that California state law expressly protected a homeowner’s property rights in discarded trash.

Justice Gorsuch criticized the majority for leaving the third-party doctrine intact without providing any clear guidance, other than the fact that the doctrine does not apply to CLSI “(for seven days, anyway),” but does to “a lifetime of bank or phone records.”34 “In the Court’s defense, though, we have arrived at this strange place not because the Court has misunderstood Katz. Far from it. We have arrived here because this is where Katz inevitably leads.”35

Finally, Justice Gorsuch suggested another way to approach the issues in the case:

First, the fact that a third party has access to or possession of your papers and effects does not necessarily eliminate your interest in them. . . . Just because you entrust your data—in some cases, your modern day papers and effects—to a third party may not mean you lose any Fourth Amendment protection in its contents.

Second, I doubt that complete ownership or exclusive control of property is always necessary to the assertion of a Fourth Amendment right. . . . At least some of this Court’s decisions have already suggested that use of technology is functionally compelled by the demands of modern life, and in that way the fact that we store data with third parties may amount to a sort of involuntary bailment too.

Third, positive law may help provide detailed guidance on evolving technologies without resort to judicial intuition. State (or sometimes federal) law often creates rights in both tangible and intangible things. . . . If state legislators or state courts say that a digital record has the attributes that normally make something property, that may supply a sounder basis for judicial decision-making than judicial guesswork about societal expectations.36

Justice Gorsuch stated that the Court must preserve “that degree of privacy against the government that existed when the Fourth Amendment was adopted,” but that this does not mean “protecting only the specific rights known at the founding; it means protecting their modern analogues too.”37 “It seems to me entirely possible a person’s cell-site data could qualify as his papers or effects under existing law.”38 Justice Gorsuch concluded by stating that those interests in cell-site data “might even rise to the level of a property right” but that these arguments were not made by Carpenter in this case—and that he “forfeited perhaps his most promising line of argument.”39

What Needs to Be Done

Most of the challenges faced by the majority opinion in crafting a decision and the concerns about and objections to that decision, as discussed in the various dissenting opinions, are due to the basic flaws in the legal approach now used to provide for data privacy protection. The Carpenter case highlights the problems that plague how we address data privacy protection in our digital world. Three changes, described below, need to take place.

1. Decouple Data Privacy and the Fourth Amendment

In Griswold v. Connecticut, the Supreme Court formally recognized a right to privacy under the United States Constitution, finding it in the penumbras of the Bill of Rights.40 The right of privacy came partially from the First Amendment freedom of association, partially from the Third Amendment prohibition against the quartering of soldiers in private houses, partially from the Fourth Amendment right against unreasonable searches and seizures, and partially from the Fifth Amendment right against self-incrimination.41 Unfortunately, since that time the vast majority of court decisions have attempted to dictate the direction of the right of privacy exclusively under the Fourth Amendment, and, conversely, often dictate the requirements of the Fourth Amendment based upon some notion of privacy. Obviously the two are interrelated and often intertwined, but they do not have to be as mutually dependent upon each other as they have become. Each one has impeded the evolution of the other to some extent. It has become almost impossible to have any discussion about what data privacy protection should be without being hijacked by a discussion of Fourth Amendment jurisprudence. Yes, the Fourth Amendment plays an important role in shaping privacy, but it is not the only source of law that should be involved. As Justice Thomas observed in his dissent, “[a]s the Majority opinion in Katz recognized, the Fourth Amendment ‘cannot be translated into a general constitutional ‘right to privacy,’’ as its protections ‘often have nothing to do with privacy at all.’”42

As discussed below, data privacy rules or statutes need to be enacted as positive law. We should no longer have to rely on vague, unstable, and court-dependent notions of privacy. The results of a case should not simply resemble the views of the judge deciding it. Furthermore, as reflected in some of the arguments made in the Carpenter dissents, Fourth Amendment jurisprudence should not be reliant on a reasonable expectation of privacy standard. It is a difficult standard to apply. Certainly, traditional notions of privacy will often be involved in a Fourth Amendment inquiry, but they need not be derived from and dependent upon Katz and its progeny.

2. Reconsider Katz v. United States

While the decision in the Katz case was correct, the test that evolved from the case has proven to be unworkable and has failed dramatically.43 What makes this even more frustrating is that, as is brilliantly described in the articles by Peter Winn44 and Harvey Schneider,45 cited in the dissent of Justice Thomas,46 the test as interpreted and applied in numerous cases over the years was not what was intended as proposed to and adopted by the Court. For the reasons convincingly presented in those two articles, the Katz test was never supposed to have two prongs, one objective and one subjective—just the one objective test.47 As Orin Kerr illustrated in his article Katz Has Only One Step: The Irrelevance of Subjective Expectations, the vast majority of courts applying the Katz test, or attempting to apply the Katz test, use only the objective part of the test anyway.48

Even if the test had included only the objective prong over the last fifty years, we would likely be, more or less, in the same predicament. That is because of the natural tendency for expectations of privacy to diminish each time some encroachment occurs. Shaun Spencer accurately predicted in 2002 that there would be an inevitable erosion in an expectation-driven conception of privacy.49 Unless there is some positive law—statutes or rules—to combat the erosion, the expectations of privacy will inevitably diminish over time.50

Justice Thomas specifically called for a reconsideration of Katz in his dissent,51 and Justice Roberts specifically noted in the majority opinion that neither of the parties had asked for the Court to reconsider Katz in this case.52 Along with my other two suggestions, the decoupling of data privacy from the Fourth Amendment and the passage of data privacy legislation, this would probably become an easy matter. If data privacy were no longer shackled exclusively to the Fourth Amendment and if there were positive law to instruct a court, the Katz test, as reconstructed, could probably more become straight-forward and useful.

3. Adopt Legislation that Clearly Defines Privacy Data Protection

The United States finally needs to address data privacy protection in a comprehensive fashion, much like the much-discussed and recently effective General Data Protection Rule (GDPR) of the European Union.53 For far too long, the U.S. has employed a sectoral approach to protecting data privacy. It has not worked. As discussed above, Katz’s reasonable expectation of privacy is, in too many situations, approaching zero. Given the ability of modern technology to collect, aggregate, sort and analyze personal data, there needs to be legislation to regulate the use of that data.

With the GDPR having officially become effective on May 25, 2018, the time is ripe.54 Many companies have already altered their data policies to conform, at least in some ways, to the new requirements. Congress needs to finally address this major issue. As illustrated by the mix of Justices and their opinions regarding privacy, this does not appear to be a politically polarizing issue – people on both sides of the aisle are concerned about data privacy protection.

The dissenting opinions of both Justices Alito and Gorsuch beg for legislative action. Justice Gorsuch twice questioned in his dissent why it judges rather than legislators were being asked to make these decisions about data privacy,55 and he clearly called for the introduction of positive law.56 Justice Alito ended his dissent by stating “Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”57 He had similarly discussed this in United States v. Jones, observing:

[C]oncern about new intrusions on privacy may spur the enactment of legislation to protect against these intrusions. This is what ultimately happened with respect to wiretapping. After Katz, Congress did not leave it to the courts to develop a body of Fourth Amendment case law governing that complex subject. Instead, Congress promptly enacted a comprehensive statute.58

Law needs to evolve as society and technology change. Congress needs to sit down and pass long overdue comprehensive legislation that addresses all aspects of data privacy protection. Katz and the Fourth Amendment are not capable of doing that by themselves. Legislation, obviously, would provide for much needed regulation for the collection and use of data and would provide the positive law necessary to avoid the inevitable conflicts between and frequent incompatibility of Katz and the Fourth Amendment.

*  Ernest L. Baskin, Jr. Distinguished Professor of Computer Science and Law, Stetson School of Business and Economics, Mercer University, Atlanta.

1. 138 S. Ct. 2206 (2018).

2. Id. at 2219.

3. It is very difficult to define “privacy.” Over the last fifty years or so, the notion of privacy has been intertwined with the Katz case and its test. While privacy has often been described as including personal autonomy and informational privacy, the latter category has dominated much of the discussion in recent years because of the advancements made in digital technology and the effects it has had on everyday life. What I am discussing in this paper is basically called “data protection” in the European Union. In order to distinguish between and avoid confusion with those rules and in order not to be bogged down by all the possible meanings of “privacy” under U.S. law, I will use the terms “data privacy” or “data privacy protection” in this paper.

4. 389 U.S. 347 (1967).

5. 425 U.S. 435 (1976) (holding that a person has no legitimate expectation of privacy once bank records are voluntarily given to a third party: the bank).

6. 442 U.S. 735 (1979) (holding that there was no legitimate expectation in pen register information used to facilitate the making of phone calls because the customer voluntary provided the information to the phone company).

7. See generally Orin S. Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561 (2009); Peter Ormerod and Lawrence J. Trautman, A Descriptive Analysis of the Fourth Amendment and the Third-Party Doctrine in the Digital Age, 28 Albany L. J. Sci. & Tech. 73 (2018).

8. Carpenter v. United States, 138 S. Ct. 2206, 2210 (2018).

9. Id. at 2217. The Court stated in a footnote that it is “sufficient for our purposes today that accessing seven days of CLSI constitutes a Fourth Amendment search. Id. at 2217 n.3.

10. Id. at 2210.

11. 565 U.S. 400 (2012).

12. Carpenter, 138 S. Ct. at 2218.

13. Id. at 2210.

14. Id. at 2220.

15. Id. at 2224 (Kennedy, J., dissenting).

16. Id. at 2228.

17. Id. at 2246.

18. Id. at 2235 (Thomas, J., dissenting).

19. Id. at 2237.

20. Id.

21. Id. at 2247 (Alito, J., dissenting).

22. Id.

23. In Jones, Justice 1Alito had written in a concurring opinion that “I would analyze the question presented in this case by asking whether respondent’s reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove.” 565 U.S. 400, 419 (2012) (Alito, J., concurring). Presumably, his objections to the majority’s handling of the search in this case outweighed his concerns about privacy.

24. Carpenter, 138 S. Ct. at 2246–47. (Alito, J., dissenting).

25. Id. at 2261 (Gorsuch, J., dissenting).

26. Id. at 2262.

27. Id.

28. Id. at 2265.

29. Id.

30. Id. (quoting from Minnesota v. Carter, 525 U.S. 83, 97 (1998) (Scalia, J., concurring)).

31. Id. at 2266.

32. 488 U.S. 445 (1989).

33. 486 U.S. 35 (1988).

34. Carpenter, 138 S. Ct at 2267 (Gorsuch, J., dissenting).

35. Id.

36. Id. at 2268–70.

37. Id. at 2271.

38. Id. at 2272.

39. Id.

40. 381 U.S. 479 (1965).

41. Id. at 484.

42. Carpenter, 138 S. Ct. at 2240 (Thomas, J., dissenting).

43. See, e.g., Daniel J. Solove, Fourth Amendment Pragmatism, 51 B.C. L. Rev. 1511, 1521 (2010).

44. See generally Peter Winn, Katz and the Origins of the “Reasonable Expectation of Privacy” Test, 40 McGeorge L. Rev. 1 (2009).

45. See generally Harvey A. Schneider, Katz v. United States: The Untold Story, 40 McGeorge L. Rev. 13 (2009).

46. Carpenter, 138 S. Ct. at 2235 (Thomas, J., dissenting).

47. Schneider, supra note 45; Winn, supra note 44.

48. Orin S. Kerr, Katz Has Only One Step: The Irrelevance of Subjective Expectations, 82 U. Chi. L. Rev. 113, 116–22 (2015).

49. Shaun B. Spencer, Reasonable Expectations and the Erosion of Privacy, 39 San Diego L. Rev. 843, 869–90 (2002).

50. See Jordan M. Blanke and Janine S. Hiller, Predictability for Privacy in a Data Driven Government, 20 Minn. J. Law Sci. & Tech. (forthcoming 2018), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3152026.

51. . Carpenter, 138 S. Ct. at 2236 (Thomas, J., dissenting).

52. . Id. at 2214 n.1.

53. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN.

54. California just passed a comprehensive data privacy protection law similar to the GDPR which will take effect on Jan. 1, 2020. California Consumer Privacy Act of 2018, A.B. 375, Reg. Sess. (Cal. 2017–18) (Jun. 28, 2018) at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375. See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (Jun. 28, 2018), .

55. Carpenter, 138 S. Ct. at 2265 (Gorsuch, J., dissenting).

56. Id.

57. Id. at 2261 (Alito, J., dissenting).

58. United States v. Jones, 565 U.S. 400, 427 (2012) (Alito, J., concurring).

The full text of this Article is available to download as a PDF.