Data Protection and the Fourth Amendment: The Implications of Airbnb, Inc. v. City of New York

In August 2018, a New York City bill that required data-sharing between short-term apartment rental platforms and New York law enforcement was signed into law and scheduled to take effect in February. The new legislation mandated that home-sharing companies share troves of hosts’ personal information with the New York City Office of Special Enforcement (OSE) on a monthly basis. In response, Airbnb, the largest home-sharing platform in New York, filed for a preliminary injunction before the law was set to take effect. [1] In January, U.S. District Judge Paul Engelmayer granted Airbnb the injunction, temporarily blocking the New York City law before the court rules on its permanent status. [2] 

In Airbnb, Inc. v. City of New York (2018), the plaintiff cited the Fourth Amendment and the Stored Communications Act of 1986 as the primary grounds for injunction. [3] Under the prevailing New York City law, the city would require Airbnb and other short-term rental platforms to provide the following information about each listing on their platform to OSE: the address of the short-term rental property; the full name, address, phone number, email address, and bank account information of the host; the dates rented out; and the fees charged for each stay. [4] The OSE intended to use this information to preemptively investigate and prosecute illegal short-term rental activity that violated New York’s Multiple Dwelling Laws. [5] 

Judge Engelmayer found the sheer breadth of the personal data required by OSE under the New York city statute “breathtaking.” [6] The court found that the city ordinance was in violation of the Fourth Amendment’s protection against unreasonable search and seizure, despite the lack of physical entry and seizure of physical materials, which has historically been considered paradigmatic features of Fourth Amendment enforcement. [7][8]

 The court’s preliminary decision in Airbnb, Inc. relies on a few critical data protection cases as precedent. One notable case is Carpenter v. United States (2018), in which the plaintiff, Timothy Carpenter, claimed that the FBI had violated his reasonable expectation of privacy under the Fourth Amendment when it obtained his cell site location information (CSLI) from his cell service provider without a warrant. [9] 

For its defense in Carpenter, the FBI relied on the third party doctrine as justification for its actions. This doctrine, originating from landmark cases like United States v. Miller (1976) and Smith v. Maryland (1979), holds that individuals essentially forfeit their Fourth Amendment right to the protection of their information when they voluntarily relinquish this information to a third party. In its ruling in Carpenter, the Supreme Court found that the third party doctrine did not extend to cell phone location records due to their “unique nature” in revealing the near constant movements of the phone’s owner. [10] 

In Airbnb, Inc., the U.S. District Court for the Southern District of New York refers to Carpenter’s decision as precedent for applying Fourth Amendment protection in cases of non-physical search and seizure. [11] However, due to the narrow scope of Carpenter, the district court found that the Fourth Amendment’s protection of an individual’s data does not apply to Airbnb, Inc. since Carpenter does not exclude the third party doctrine from applying to matters of personal information. Thus, the court faced a problem in extending this aspect of Carpenter to cases not specifically related to CSLI. 

Judge Engelmayer resolved the tension in Airbnb, Inc. by citing that, while home-sharing platform users aren’t protected in this case under the Fourth Amendment, the platforms themselves are. [12] While in Airbnb, Inc. this notion indirectly extended to protect individuals, it left unsteady ground for future cases concerning consumer data protection by placing the safeguarding of information in the hands of corporate entities rather than consumers themselves. 

While landmark court decisions like Carpenter are essential for reframing the Fourth Amendment in the modern legal landscape, the varied nature of privacy cases makes it difficult to construct a broad legal framework out of case law. As exemplified in Airbnb, Inc., it is difficult to extend highly specific precedent to cases concerning different types of data. Moreover, the United States has yet to implement a comprehensive federal law that regulates the collection and use of personal information. [13] Instead, there is only a loose patchwork of industry-specific laws that leave ample room for loopholes and questionable interpretations of the law. 

Although the current federal legal framework leaves consumer data rather vulnerable in a technological age, the recent enactment of the California Consumer Privacy Act (2018) (CCPA) demonstrates the promising potential of data protection regulation at the state level. CCPA, which will go into effect January 1, 2020, provides four basic rights to California residents: first, the right to know what personal information is being collected by businesses and whether or not this data is being sold; second, the right to deny a business the ability to sell their personal data to third parties; third, the right to request that a business deletes records of their personal information; and fourth, the right to receive the same pricing from a company regardless of whether the consumer restricts the use of their personal information or not. [14]

Since the courts have been largely divided over the complex implications of the Fourth Amendment on data related privacy, the implementation of data privacy laws like CCPA is essential in the protection of consumer data and ensuring that a wide range of potentially sensitive information is not accessible without due process. The courts will continue to define regulatory standards for data privacy, but the enactment of a federal statute that enumerates consumer privacy rights would better serve to protect these interests. 

Sources:

[1] Pierson, Brendan. "Judge Blocks New York City Law Requiring Airbnb to Hand over User Data." Reuters. January 04, 2019. Accessed April 28, 2019. https://www.reuters.com/article/uk-airbnb-lawsuit/judge-blocks-new-york-city-law-requiring-airbnb-to-hand-over-user-data-idUSKCN1OX19L.

[2] Ibid.

[3] Airbnb, Inc. v. City of New York, 1:18-cv-07712 (2019). 

https://www.housingwire.com/ext/resources/files/Editorial/Airbnb-Inc-v-The-City-of-New-York--HomeAwaycom-Inc-v-City-of-New-York.pdf

[4] Ibid.

[5] Valle, Gaby Del. "A Federal Judge Blocked New York's Latest Attempt to Crack down on Airbnb." Vox. January 10, 2019. Accessed April 28, 2019. https://www.vox.com/the-goods/2019/1/9/18174095/airbnb-lawsuit-new-york-city.

[6] Airbnb, Inc. v. City of New York, 1:18-cv-07712 (2019). 

https://www.housingwire.com/ext/resources/files/Editorial/Airbnb-Inc-v-The-City-of-New-York--HomeAwaycom-Inc-v-City-of-New-York.pdf

[7] Slobogin, Christopher. "Is the Fourth Amendment Relevant in a Technological Age?" Brookings Institute. July 28, 2016. Accessed April 28, 2019. https://www.brookings.edu/research/is-the-fourth-amendment-relevant-in-a-technological-age/.

[8] Carpenter v. United States, 138 S. Ct. 2206 (2018). Justia. 2018.

[9] Ibid.

[10] Ibid. 

[11] Airbnb, Inc. v. City of New York, 1:18-cv-07712 (2019). 

https://www.housingwire.com/ext/resources/files/Editorial/Airbnb-Inc-v-The-City-of-New-York--HomeAwaycom-Inc-v-City-of-New-York.pdf

[12] Ibid.

[13] "Reforming the U.S. Approach to Data Protection and Privacy." Council on Foreign Relations. January 30, 2018. Accessed April 28, 2019. https://www.cfr.org/report/reforming-us-approach-data-protection.

[14] "The California Consumer Privacy Act of 2018." Proskauer. July 13, 2018. Accessed April 28, 2019. https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018/.