Computers, Privacy & the Constitution
-- DanielleTomson - 11 May 2018


Transparency International: Finding Relief Abroad in Data Privacy and Protection?

Ours is a world that is both everywhere and nowhere, but it is not where bodies live. – John Perry Barlow’s “A Declaration of the Independence of Cyberspace, 1996

I. Introduction: Personal Data and Tyranny

While cyberspace might feel like “everywhere and nowhere,” ultimately personal data are housed and processed in physical servers across jurisdictions. As such, many people feel entitled to knowing where this personal information is, who has it, how they got it, and what they are doing with it. Yet, these feelings of “owning one’s data” do not necessarily translate into legal rights—at least in the United States. There is little legal recourse to understanding how private companies collect, store, and trade this information—let alone preventing this kind of corporate surveillance. Understanding how private actors collect and use our information consensually given, only then to be watched by government without our consent (as the Snowden leaks revealed), becomes an important tool for citizens in the fight against tyranny. In the UK and Europe, recent laws have been put in place to give individuals more control over their personal data, including information about who uses and shares it plus the right to have it removed from various domains. A recent case from American and New School Professor David Carroll suing Cambridge Analytica and its UK parent company SCL Group sets precedent that Americans with data in the UK can have jurisdiction and therefore some statutory cause of action regarding their data privacy and use. While American statutes and constitutional rights might not give us explicit courses of action, in the “everywhere and nowhere” of cyberspace, we Americans might find ourselves or our data about ourselves somewhere with more protection like the UK, opening up a new paradigm in understanding our data and legal rights in a transnational manner.

II. A Close Read of the Case

According to the legal claim submitted by his lawyer, David Carroll, an American citizen and professor at the New School submitted at subject access request (SAR) in 2017 to Cambridge Analytica, made possible under the UK Data Protection Act (DPA) of 1998. Under Section 7.1 of the DPA, individuals can request from a private company all of one’s personal data, the purposes for which the data have been used, how it is being or will be processed, and the recipients to whom the data are being disclosed. In response to the SAR, Carroll received some data and a letter from Cambridge Analytica, signed by a director of SCL group, a parent company in the UK known for its military contracting. The data included personal information as well as data on his political beliefs, but it was far from the “up to 5,000 data points on over 230 million American voters” (according to a bragging Cambridge Analytica sales pitch Carroll cites in the claim) indicating to Carroll that the set wasn’t complete. In turn, he sued Cambridge Analytica and SCL Group in the UK to retrieve his complete personal data set, the sources of the data, the model running analysis of the data, and the names of Cambridge Analytica clients who benefitted from the data. He won. On May 5, the UK Information Commissioner demanded SCL comply. Carroll explains that he filed the SAR in 2017 out of curiosity because he suspected that Cambridge Analytica had processed American voter data in the UK—and he wanted to know the composition of those data, given Donald J. Trump was a client and the company might have been connected to Russian social media meddling. When he saw SCL signed off on the limited release, he became even more suspicious. Yet how did an American citizen claim these rights in the UK?

III. The Law and Jurisdiction

As outlined in the claim, under Directive 95/46/EC of the DPA, the data processing systems must “whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy.” The DPA also defines the “data subject” or “personal data” to be inclusive of personally identifiable information, “political opinions,” and “religious beliefs or other beliefs of a similar nature.” The DPA applied to the data controller, as it was established in the UK and processed data there, even if only for transit. With Cambridge Analytica processing his data in the UK, Carroll had right to a full SAR claim under UK law. Cambridge Analytica’s lawyers rebuked Carroll’s claim, saying he had no more access to data rights in the UK “than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan." That said, under the fullest extent of UK law, Carroll’s claim was valid. With SCL and Cambridge Analytica now compelled to release American data, privacy advocates everywhere should rejoice that they have just received a bellwether for what might come once the European General Data Protection Regulation goes into effect later this month.

IV. Implications and Future Applications

We cannot essentially “FOIA” a private entity in the United States in order to see what information they hold about us. We instead rely on corporate benevolence and their fears of the creation of regulation in order to compel certain behaviors, which are not legally binding, in order to ensure our privacy and protection of sensitive personal information—which can have impacts on our wellbeing, livelihoods, and dignity (one need not look further than credit reports’ impact on job prospects or the police surveillance of vulnerable communities for evidence of this). However, knowing that Carroll asserted his rights under a different jurisdiction opens up an interesting possibility for holding increasingly consolidated and monopolistic corporations accountable. Thanks to cases like this in the UK, Americans might hold Facebook accountable for sharing data with Cambridge Analytica and possibly violating its 2011 consent decree, with consequential fines up to $4,000 per violation. In an age where activists must get creative about protecting individuals against corporate or government tyranny (increasingly indistinguishable), using a foreign statute to compel disclosure, under the power of the law, not public pressure, is a powerful methodology. It gives us the ability to look under the hood in the algorithmic black box of microtargetting companies whose “Terms of Service” we never consented to giving our data – even if we did on another platform. Using the laws of one state to fight tyranny in another sounds like a compelling tool in the freedom fighter’s box.


Webs Webs

r1 - 11 May 2018 - 17:14:06 - DanielleTomson
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM