Digital Privacy: The Importance of Private Right of Action

How do you see the debate over enforcement playing out over the next few years?

One of the biggest points of friction is what will a private right of action look like? When will people be able to take companies to court who violate their rights? Will there be statutory damages? This idea that if you violate a regulation, a company could be on the hook for whatever the amount of money is.

In the privacy world, it’s often very difficult to prove harm. Take Cambridge Analytica as an example. There was something that went wrong here, and it resulted in some harm. How do you prove a particular harm to a particular person in a particular case? It’s very labour-intensive. To make sure you can actually receive damages that reflect the harm, you’re going to need the ability to take a company to court and also, some level of statutory damages per violation.

That’s obviously something that a lot of people in industry have opposed, but I think without that, you could end up with a privacy law that is words on paper that nobody’s enforcing. You’ve already seen government actors raise this as a problem. When California passed its privacy law, the Attorney General supported having a private right of action for consumers because they simply don’t have the resources to enforce privacy laws. There’s only a handful of people in the Attorney General’s office who focus specifically on privacy, and resources are already a challenge.

A similar phenomenon exists at the federal level. You have the FTC which, for years, has not had strong enforcement. There are many valid criticisms of the FTC and why it hasn’t acted in a way that has resulted in strong enforcement of our privacy laws. One of the biggest examples was Facebook operating under a consent decree with the FTC. They had been found to have engaged in unfair and deceptive trade practices, they made an agreement with the FTC, then we saw they had all these privacy issues, not just with Cambridge Analytica, but other practices that raised concerns.

The lesson of history is that government enforcement in the US is often not enough. Having private litigants be able to go to court, figure out what that looks like, when they can receive damages, and what class actions look like is probably one of the biggest areas where there has to be a shift in how industry is approaching this issue for there to be a strong law that results in meaningful changes.

People have talked about beefing up the powers that exist in government for enforcement, creating a new privacy bureau similar to the Consumer Financial Protection Bureau in the US; whether it’s possible to create something like that for privacy, either at a federal or state level.

That is a worthwhile endeavour, but it can be labour- and cost-intensive to stand up a new agency. There are also questions about how changes in political leadership could affect what an agency does. If you have a new administration that doesn’t want to enforce privacy laws as strongly, does that change the way an agency can approach enforcement? From an enforcement perspective two buckets are how we give private people more rights and how we give the government more enforcement powers. I don’t think one without the other is going to be sufficient.