Digital Privacy: The Importance of Private Right of Action
Senior Legislative Counsel, ACLU
inpractise.com/articles/private-right-of-action
Why is this interview interesting?
- The role that private right of action plays in keeping corporates accountable to the regulatory framework in the U.S.
Neema Guliani
Senior Legislative Counsel, ACLU
Neema Singh Guliani is a senior legislative counsel with the American Civil Liberties Union Washington Legislative Office, focusing on surveillance, privacy, and national security issues. Prior to joining the ACLU, she worked in the Chief of Staff’s Office at DHS, concentrating on national security and civil rights issues. She has also worked as an adjudicator in the Office of the Assistant Secretary for Civil Rights in the Department of Agriculture and was an investigative counsel with House Oversight and Government Reform Committee, where she conducted investigations related to the BP oil spill, contractors in Iraq and Afghanistan, and the Recovery Act. Neema is a graduate of Brown University where she earned a BA in International Relations with a focus on global security and received her JD from Harvard Law School in 2008.
Interview Transcript
How do you see the debate over enforcement playing out over the next few years?
One of the biggest points of friction is what will a private right of action look like? When will people be able to take companies to court who violate their rights? Will there be statutory damages? This idea that if you violate a regulation, a company could be on the hook for whatever the amount of money is.
In the privacy world, it’s often very difficult to prove harm. Take Cambridge Analytica as an example. There was something that went wrong here, and it resulted in some harm. How do you prove a particular harm to a particular person in a particular case? It’s very labour-intensive. To make sure you can actually receive damages that reflect the harm, you’re going to need the ability to take a company to court and also, some level of statutory damages per violation.
That’s obviously something that a lot of people in industry have opposed, but I think without that, you could end up with a privacy law that is words on paper that nobody’s enforcing. You’ve already seen government actors raise this as a problem. When California passed its privacy law, the Attorney General supported having a private right of action for consumers because they simply don’t have the resources to enforce privacy laws. There’s only a handful of people in the Attorney General’s office who focus specifically on privacy, and resources are already a challenge.
A similar phenomenon exists at the federal level. You have the FTC which, for years, has not had strong enforcement. There are many valid criticisms of the FTC and why it hasn’t acted in a way that has resulted in strong enforcement of our privacy laws. One of the biggest examples was Facebook operating under a consent decree with the FTC. They had been found to have engaged in unfair and deceptive trade practices, they made an agreement with the FTC, then we saw they had all these privacy issues, not just with Cambridge Analytica, but other practices that raised concerns.
The lesson of history is that government enforcement in the US is often not enough. Having private litigants be able to go to court, figure out what that looks like, when they can receive damages, and what class actions look like is probably one of the biggest areas where there has to be a shift in how industry is approaching this issue for there to be a strong law that results in meaningful changes.
People have talked about beefing up the powers that exist in government for enforcement, creating a new privacy bureau similar to the Consumer Financial Protection Bureau in the US; whether it’s possible to create something like that for privacy, either at a federal or state level.
That is a worthwhile endeavour, but it can be labour- and cost-intensive to stand up a new agency. There are also questions about how changes in political leadership could affect what an agency does. If you have a new administration that doesn’t want to enforce privacy laws as strongly, does that change the way an agency can approach enforcement? From an enforcement perspective two buckets are how we give private people more rights and how we give the government more enforcement powers. I don’t think one without the other is going to be sufficient.
Related Content
Copyright Notice
This document may not be reproduced, distributed, or transmitted in any form or by any means including resale of any part, unauthorised distribution to a third party or other electronic methods, without the prior written permission of IP 1 Ltd.
IP 1 Ltd, trading as In Practise (herein referred to as "IP") is a company registered in England and Wales and is not a registered investment advisor or broker-dealer, and is not licensed nor qualified to provide investment advice.
In Practise reserves all copyright, intellectual and other property rights in the Content. The information published in this transcript (“Content”) is for information purposes only and should not be used as the sole basis for making any investment decision. Information provided by IP is to be used as an educational tool and nothing in this Content shall be construed as an offer, recommendation or solicitation regarding any financial product, service or management of investments or securities.
© 2024 IP 1 Ltd. All rights reserved.