Why EFF and CDT May Not Advocate for Individual Private Right of Action

Google is suing to funnel individual user remunerations, awarded by courts, to EFF, CDT. Data owners should speak up for themselves now in small claims court.

 

By Sheila Dean

 

For many years, I wondered why Democratic leaning nonprofits like Center for Democracy and Technology (CDT) and EFF, former coalition colleagues in the privacy field, overlooked and entirely ignored the Privacy Act of 1974 in public education efforts against mass surveillance. It represents an important consumer civil right: the individual right to tell the government to stop processing personal data for non-exempt government uses. They kept mum during the entire Obama administration about this law and only filed a mea culpa amicus brief this Summer based on some recent personal rights violations.

This particular right gets down to hairsplitting among judges, like potential Supreme Court nominee, Brett Kavanaugh. Ars Technica reported statements during Kavanaugh’s confirmation indicating he would side with any corporation’s rights to collect mass data on behalf of the government for their unique purposes.  Unfortunately, unless the normative T-mobile or Verizon informs the customer that they may refuse exchanges of personal data to government agencies (such as the Department of Education, NASA, DARPA, the Geospatial Intelligence Agency) by expressly denying consent to share data with them, Kavanaugh would allow businesses and nonprofits to launder consumer consent tacitly to government transactions. This bypass would treat government actors as a 3rd party data processors.  No warrant necessary. That is why the Privacy Act of 1974 and filing a small claims suit is more important than ever.

According to Media Post, data owners were represented in a class action lawsuit involving Google. Google is suing to send remunerations to nonprofits rather than the data owners or users impacted in the case. We never hear about users who never received an award from their position in the case of privacy, until now. EFF and CDT seem motivated by a win to get Google’s largesse funnel to go to their work. It is likely this is not the first or last time you will see a non-profit, like the ACLU, go in for a civil suit win to collect funding for their non-profit work. You will have to wait until Halloween to hear users vouch toward whether they were actually offered their court award or if feral feudal administrators between these non-profits and Google made decisions for their digital serfs. Google, aware of mass scale of privacy violations, changed its corporate classification in 2017 from an Incorporated public company to a Limited Liability Company incorporation (LLC), because of the mounting volume of lawsuits landing on them due to ongoing willful privacy violations.

That is why I am actively advocating and proclaiming that each data owner impacted by a personal privacy violation file a small claims suit against company or nonprofit data license violators. This means, 501c3’s (like the EFF, CDT or the ‘Church of Google’) or 501c4s (like a political party, partisan political campaign, or a Political Action Committee) also can be taken to small claims courts. You can even take your local government to small claims court for privacy violations. You may even file privacy violations claims against the federal government in your local District Court.

This process is given overview in my current work Privacy Is A Spider; A Guide to Rebalance Private Living, Chapter 2: Droping in From Above, currently available for download at Gumroad.com. Companies with history of serial privacy violations won’t stop violating your rights. You have to stop them and make them pay. Small claims has the power to order anyone who has processed against your consent cease and desist. The courts need to see you self advocate with the legal means you have; which is possibly $15 and a court appearance with your local version of Judge Judy.

Each data owner has a private right of action to make each of these companies or entities pay for their violations of your consent rights and to collect any profits made from involuntary exchange your data, whether it is only $74 or $.74.  If you want to win your privacy case, you will have a higher likelihood in small claims court. The political class won’t reign them in quickly.  You have to do it. There is no real privacy movement if you are not making the legal decisions that matter about your privacy.

 

3 STRONG REASONS WHY YOU SHOULD USE SMALL CLAIMS FOR ANY CORPORATE OR NON-PROFIT PRIVACY VIOLATION

  • Build case law history against violators; which mounts against their lobbying efficacy with agencies like the FTC and the SEC.

  • Win the unique knowledge and access to the transactional trade path of your personal information without the mass invasive process of a Superior Court legal case with your name on it.

  • Be awarded profits from the unapproved licensing of your personal information and private data. (This keeps self-involved lawyers at non-profits from collecting awards made on small bill privacy violations.) 

EU's Safe Harbor Invalidation means 'You are free to do better.'

Europe’s privacy offices are now empowered to do more than look the other way at compromised data transfers.

Data transfer practice at US companies have reputedly poor standards facing the rest of the globe, particularly developed countries in the EU. The plain sense of the Safe Harbor agreement was to create a protected data pipeline to and from countries across the Atlantic. Unfortunately, actions conducted by US and UK intelligence authorities really victimized Europe’s data partnerships in the vagaries, compromising the intent and integrity of Safe Harbor agreement.  This is has led to an Irish based uprising to successfully invalidate a law that provided no useful protections for data transfers.   The ruling will impact the way e-commerce is conducted nearly immediately.

Privacy officers are scrambling to gird themselves under Article 25, EU privacy law. The are throwing out ‘model contracts’  as life savers, now they have been dumped overboard.  They are consulting each other on the would-be Safe Harbor 2.0.  Some coming in the form of binding contract resolutions, deferring to the standards of third party countries (Switzerland), auditing the existing data transfer priorities in order to produce a legal, viable alternative to continue commerce and trading.  Some are even still standing on the sinking ship saying, “You may still honor the Safe Harbor stand… BLUB, BLUB…*!”

There is enormous potential for good to come from an upset; that privacy counsel, Daniel Solove, attributed to “cavalier attitudes” of US governance toward EU data protections.  The legal privacy vacuum opened up by the Safe Harbor invalidation can now be filled with far better standards for the human rights of computer users in Europe. 

The EU has initiated an atmosphere of conditional embargo with some potential for US-EU commerce based on practice that has failed to protect consumers. Unlawful smash & grabs of non-criminal data based on US laws conducted by the Five Eyes/ECHELON group violates computer users everywhere. The EU now has an opportunity to impose standardized consumer data protections with some real teeth on countries in violation of UNHRC privacy rights. They have cause to cease business relations with any county that doesn’t honor its agreements and violates the human rights of its citizens.  While no country wants to pause commercial relations for long, the standards erected now could influence the way US companies collect and distribute data in a global economy respecting privacy.

There are terrific, diverse solutions for a higher global privacy standards. Almost instantly, the Snowden Treaty became a relevant goto for trade reform standard discussions. This suggests trade relations standards would not be harmed or frozen indefinitely over government spying, if companies assume socially responsible protections that do far better than existing law and governance policy. Privacy officials can now bring their most ethical and use friendly solutions for data management to the table to reform conventional business practices that even the most lazy and apathetic corporate counsels would be forced to conform to. US businesses may see the the data protections as a legal relief to require company wide adoption of encryption for all of their consumer and company products. Socially responsible privacy practice has legal means to flourish now the Safe Harbor falsehood has fallen apart.  Finally, they are free to do better.


Reports have indicated that at least 4,500 US companies will be impacted by the Safe Harbor ruling. US businesses will sustain some suffering under drafting of Safe Harbor 2.0 scaffolds, but it’s really for the best.

Businesses should assume more risk for privacy

Company privacy policy can do more for the future of businesses if they forge ahead on the curve of socially responsible consumer offerings.

So much of privacy practice centers on the case for threats: threat evaluation, legal risk mitigation and management, civil liability insurance in case of a breach and information security to ward off a breach. Everything orbiting company privacy policy seems to be on some sort of fire plan for businesses.  There are reasons for that.

Most businesses aren’t on the cultural advance towards privacy. They approach digital privacy primitively. They throw a stick at it. They try to make sure they don’t lose any business due to government rules.  The matter gets so complicated so quickly, many of them are inspired to delegate the whole matter to a lawyer. The lawyers hired do what is lawfully required of a business so they don’t get sued by consumers and sanctioned by the government. That doesn’t always pair with the interests of the consumer, left in the cold from data fire sales and 3rd party information marketing.

Contemporary governments serve double standards towards corporate privacy standards.  They are an opaque partner who wants exclusive views into business operations and their customers, often without a warrant.  Governments give themselves legal means to coerce a business to give clandestine access to consumers who trust them with their information. The lawfulness of government orders are subject to an ongoing debate.  Most businesses do not want to rock the boat, denying access requests from the government. So businesses have to balance what may be legal with whether government requests are socially responsible. 

Governments treating everyone like persons of interest, make little distinction between criminal & non-criminal for targeted surveillance. They approach the best and most productive companies in the US and the world to make demands that they insert surveillance capability to watch their customers. That’s not in the business plan for most businesses.  It’s certainly not in the interests of continuing business led by consumer trust.

Consumers have different needs now. What consumers are left with in privacy means are a totally unsatisfying and treacherous experience. Consumers face diverse privacy perils if they choose to adopt a new online service or work with businesses who really don’t have a socially responsible privacy practice.  They don’t owe anyone any business who will trade up their privacy for a more cushioning of their business.

Consumers are going to do what’s best for them.  They will look for companies with good intentions and great information security practices.  The relief experienced by a consumer who has the option of adopting privacy ware is immense. For instance, a mobile device company who offers a great User Interface is a good candidate for strategic partnerships with privacy ware developers and applications store offerings.  They have a department that invests in a great user experience. It’s not illegal to produce privacy ware and produce encryption. To sell it or offer it to privacy concerned consumers opens a new market.  So why not offer more privacy provisions to customers and pass along the costs to try something new?

On the cutting edge of privacy

Privacy led development can give businesses a new edge in markets who left consumer privacy behind.  You can find ways to make privacy applications more diverse, invest in practical research (like active penetration testing & hackathons), and produce an offering that so many companies need.  However, so many data driven businesses will never see that as an opportunity.  They only see a rival.

It may be that a business just has a generally nasty attitude towards privacy compliance due to internal conflicts with branches of their business model. Companies have competed for data sales since the 80’s as a buffer against harder times. Many have also settled in comfortably with close relations with governments, developing contracts for products and services to serve their needs.  Providing non-government customers with products that curtail government access is seen as a conflict of interest. These companies have in fact become combative with privacy advocates seeking better privacy service offerings to consumers.  After taking the hard road, it would be difficult for them to conceive of the pro-sumer privacy offering.  It may also be their saving grace, especially if businesses thrive on meaningful innovations.

Business edge is about giving the customer a competitive option.  They can go to a privacy shirking business to try to get their needs met or they can go to someone else who has a real offering for them.  

Businesses need an intelligent approach to privacy that works within the marketplace.  It begins with a brave internal audit for privacy practices to meet the standards of the pro-privacy consumer.  That means recruiting people who have the right networks to help organize research and business partnerships with vendors who tailor technology suites for your customer base.  Businesses who take bold, intrepid steps to develop an internal consumer practice, that if adopted in stages, will validate consumer trust and brand loyalty. 

It may be time to allow a new privacy policy to create your loyalty leaders for the future.

-Sheila Dean

For more information about privacy logistics and social responsibility planning, please contact me for an introductory consultancy meeting.