Opinion | We Should Be Able to Take Facebook to Court
01/07/2019
After The New York Times revealed last month that Facebook continued to share personal information of millions of consumers with companies like Netflix, Yahoo, Spotify and Google — despite contrary assertions to Congress — many people decided to delete their Facebook accounts. But if Facebook’s actions, as described by The Times, violated the law, consumers should be able to send an even more powerful message, one that could leave a much larger imprint on the company’s ledger books: suing the company for damages.
Facebook knows this and has been working to make it near impossible to do so.
For example, consumers recently filed a lawsuit in Illinois claiming Facebook violated a state privacy law by using facial recognition technology on their uploaded photographs without their consent. Facebook is fighting the lawsuit by trying to get the court to buy into troubling arguments that would make it even more difficult for consumers to sue lawbreaking companies for damages.
Facebook is arguing that the law at issue doesn’t grant consumers the ability to sue companies, otherwise known as a “private right of action,” based solely on the fact that a company violated the law. Instead, according to Facebook, consumers should have to show that the lawbreaking practice caused additional harm beyond a mere violation to get their day in court and damages.
If you applied Facebook’s twisted interpretation of the law in this case to other contexts, sharing your intimate messages without your permission or handing over detailed profiles of you to political operatives without your consent — even if in direct violation of the law — alone shouldn’t cost the company a penny in court. Facebook is paradoxically arguing that privacy itself has no price, even in cases where it’s this precise lack of privacy that allows it to turn a profit.
It’s not the first time we’ve seen this argument, and other companies have made similar arguments in privacy lawsuits. In addition, major industry players, including the U.S. Chamber of Commerce, have put forward similar views. They are fighting legislation that would grant consumers the ability to sue companies for privacy violations and are lobbying for federal privacy legislation where enforcement is tied only to “concrete” harm, not necessarily to violations of the law.
It’s easy to see why.
Huge privacy violations have become commonplace. Without a private right of action, consumers have little practical ability to seek relief in cases where their data was mishandled or misused. This eliminates a powerful enforcement stick that can be used to dissuade companies from violating the law. A private right of action is also important because government agencies often do not have the resources to investigate and take action in every case where consumers’ privacy is violated. So, a private right of action may be the only avenue to hold a company accountable.
In rare cases, the harm from a privacy violation may be clear, such as losing a job, money or sense of safety. But in most cases, the harm, while staggering, can be virtually impossible to measure. For example, how do you prove the collective impact of having companies profile you based on sensitive health data, affecting things like the content you see and the ads you’re served? How do you measure the national-security or societal impact of having people targeted with divisive and exploitative ads? How do you determine the collective impact of consumers’ being stripped of control over information they own and having intimate details of their life, like relationship status and political views, shared with countless entities?
Industry players often seek to take advantage of the extreme difficulty that most people face in showing exactly how they have been hurt by a privacy violation. The bar is almost impossibly high for consumers or regulators who seek to rein in abusive data practices. Under the view that consumers must show “concrete” harm, it would not be enough to show that a company violated the law by, for example, sharing information without permission. And it would not be enough to show that millions of consumers were affected or that billions of pieces of information were improperly shared. For a fine or damages to be imposed, consumers would instead have the difficult burden of demonstrating that the unlawful collection of their own data damaged them in a tangible and measurable way, like causing physical, emotional or financial harm.
This limit on consumer suits might be good for industry, since it may insulate companies from legitimate lawsuits stemming from their irresponsible data practices and helps them emerge virtually unscathed following large-scale privacy violations that affect millions. But it’s a bad deal for everyone else.
In the wake of countless data scandals, it has become increasingly clear who is paying the price: consumers. At the same time, many major industry players continue to post record profits. It is past time to remedy this imbalance. As Congress considers federal privacy legislation, it should make clear that a privacy violation itself is a harm and that consumers have a right to take companies that propagate such harms to court.
Neema Singh Guliani is a senior legislative counsel at the American Civil Liberties Union.
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.
We and our partners use cookies on this site to improve our service, perform analytics, personalize advertising, measure advertising performance, and remember website preferences.Ok
Home » Analysis & Comment » Opinion | We Should Be Able to Take Facebook to Court
Opinion | We Should Be Able to Take Facebook to Court
After The New York Times revealed last month that Facebook continued to share personal information of millions of consumers with companies like Netflix, Yahoo, Spotify and Google — despite contrary assertions to Congress — many people decided to delete their Facebook accounts. But if Facebook’s actions, as described by The Times, violated the law, consumers should be able to send an even more powerful message, one that could leave a much larger imprint on the company’s ledger books: suing the company for damages.
Facebook knows this and has been working to make it near impossible to do so.
For example, consumers recently filed a lawsuit in Illinois claiming Facebook violated a state privacy law by using facial recognition technology on their uploaded photographs without their consent. Facebook is fighting the lawsuit by trying to get the court to buy into troubling arguments that would make it even more difficult for consumers to sue lawbreaking companies for damages.
Facebook is arguing that the law at issue doesn’t grant consumers the ability to sue companies, otherwise known as a “private right of action,” based solely on the fact that a company violated the law. Instead, according to Facebook, consumers should have to show that the lawbreaking practice caused additional harm beyond a mere violation to get their day in court and damages.
If you applied Facebook’s twisted interpretation of the law in this case to other contexts, sharing your intimate messages without your permission or handing over detailed profiles of you to political operatives without your consent — even if in direct violation of the law — alone shouldn’t cost the company a penny in court. Facebook is paradoxically arguing that privacy itself has no price, even in cases where it’s this precise lack of privacy that allows it to turn a profit.
It’s not the first time we’ve seen this argument, and other companies have made similar arguments in privacy lawsuits. In addition, major industry players, including the U.S. Chamber of Commerce, have put forward similar views. They are fighting legislation that would grant consumers the ability to sue companies for privacy violations and are lobbying for federal privacy legislation where enforcement is tied only to “concrete” harm, not necessarily to violations of the law.
It’s easy to see why.
Huge privacy violations have become commonplace. Without a private right of action, consumers have little practical ability to seek relief in cases where their data was mishandled or misused. This eliminates a powerful enforcement stick that can be used to dissuade companies from violating the law. A private right of action is also important because government agencies often do not have the resources to investigate and take action in every case where consumers’ privacy is violated. So, a private right of action may be the only avenue to hold a company accountable.
In rare cases, the harm from a privacy violation may be clear, such as losing a job, money or sense of safety. But in most cases, the harm, while staggering, can be virtually impossible to measure. For example, how do you prove the collective impact of having companies profile you based on sensitive health data, affecting things like the content you see and the ads you’re served? How do you measure the national-security or societal impact of having people targeted with divisive and exploitative ads? How do you determine the collective impact of consumers’ being stripped of control over information they own and having intimate details of their life, like relationship status and political views, shared with countless entities?
Industry players often seek to take advantage of the extreme difficulty that most people face in showing exactly how they have been hurt by a privacy violation. The bar is almost impossibly high for consumers or regulators who seek to rein in abusive data practices. Under the view that consumers must show “concrete” harm, it would not be enough to show that a company violated the law by, for example, sharing information without permission. And it would not be enough to show that millions of consumers were affected or that billions of pieces of information were improperly shared. For a fine or damages to be imposed, consumers would instead have the difficult burden of demonstrating that the unlawful collection of their own data damaged them in a tangible and measurable way, like causing physical, emotional or financial harm.
This limit on consumer suits might be good for industry, since it may insulate companies from legitimate lawsuits stemming from their irresponsible data practices and helps them emerge virtually unscathed following large-scale privacy violations that affect millions. But it’s a bad deal for everyone else.
In the wake of countless data scandals, it has become increasingly clear who is paying the price: consumers. At the same time, many major industry players continue to post record profits. It is past time to remedy this imbalance. As Congress considers federal privacy legislation, it should make clear that a privacy violation itself is a harm and that consumers have a right to take companies that propagate such harms to court.
Neema Singh Guliani is a senior legislative counsel at the American Civil Liberties Union.
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.
Source: Read Full Article