Speech by Marc Rotenberg to the 12th Annual Dave Ellis Memorial Lecture

20 December 2018


“The regulation of social media, privacy and access to justice” Dave Ellis Memorial Lecture
Marc Rotenberg, President EPIC

Dublin, Ireland December 13, 2018

(prepared remarks)

It is an honor to be with you this evening. My thanks to Eilis Barry and the Free Legal Advice Centers for organizing this event. Tonight we honor Dave Ellis, a community activist who dedicated his career to working with community groups on welfare rights, legal aid, and legal education. Dave established the Community Legal Resource to assist the not-for-profit sector after working for many years at the Coolock Community Law Centre, now the Centre Community Law and Mediation.

I did not know Dave but his spirit is with us tonight, both with those who remember his good deeds and those who now provide legal assistance to those in need, thanks to the programs Dave established. Many of us in the legal world are inspired by people such as Dave Miller. They provide an opportunity for a young lawyer to help a community, they help us as our careers progress, and they remind us that the law can be a powerful force for social justice.


I would also like to acknowledge FLAC for the critical role that it plays today, providing legal information, advice, and training to thousands of people across Ireland. I read in your recent report that you received more than 25,000 requests for legal assistance, provided training for more than 200 volunteers and work with more than 100 NGOs and community organizations to help ensure that those who need legal assistance are able to obtain it. It is a critical service that you provide. I know also that such work is not possible without a dedicated and talented, strong leadership, and loyal supporters. And so tonight we recognize your good work.

I am here also as one of your clients to thank you for the assistance you provide to my organization, the Electronic Privacy Information Center, a Washington NGO so that we could pursue a critical data protection case now before the Court of Justice of the European Union. EPIC routinely participates in significant privacy cases in the United States. But we lacked both the ability and

the legal authority to participate in cases before European courts. And so we reached out to FLAC who have provided expert advice in the Schrems case. It is not overstatement to say without FLAC, our case would not go forward.

And so with warm regards from me, EPIC Senior Counsel Alan Butler, and EPIC International Counsel Eleni Kyriakides, and all of working to safeguard privacy in our modern age, we offer our sincere thank to Eilis, Sinead, Colm, and everyone at FLAC who has helped bring the EPIC case concerning privacy to the Court of Justice of the European Union


Establishment of EPIC

To understand our case and the importance of privacy in the modern age, I need to say a few words about EPIC, the Electronic Privacy Information Center. We launched almost 25 years ago over the freedom to use encryption. At issue in 1994 was a plan from the National Security Agency to establish Clipper, a plan for key escrow encryption that would give the government access to private communications.

We wrote to the President and explained that the plan would put at risk the privacy and security of lawful conduct, and we warned that weakened encryption would create vulnerabilities that criminal hackers would exploit. Many people agreed with us and soon we had 50,000 people in support. We had created the first Internet petition, which we delivered to the White House. The plan for Clipper was suspended, and we choose to establish to take on the challenges of the Internet age.

Since our beginning, EPIC has focused on emerging issues of privacy and human rights. We defend the rights of consumers, the rights of citizens, the rights of users of Internet-based services. We are an independent voice in Washington, DC. We do not take funding from the private sector or grants from federal agencies. To be effective, we believe it is vital to base our actions on what we believe is necessary.


The 2016 Election and the Defense of Democracy

I would also like to say a few words about EPIC’s current work. As I explained, EPIC has long championed the right to privacy and open government. But the US election in 2016 raised a new concern for us. Substantial questions were raised about foreign interference in the election, the manipulation of social media, and financial relations between US political candidates and foreign governments.

In 2017, EPIC launched a new project on Democracy and Cybersecurity to determine the extent of Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions. The US open government law – the Freedom of Information Act – is critical to our work to hold government accountable.

EPIC is currently pursuing several Freedom of Information Act lawsuits. In EPIC v. ODNI, EPIC sought the public release of the report of the Intelligence Community on the Russian interference with the 2016 election. The Director of National Intelligence had determined that the Russians had launched a multi-prong attack on the Presidential election including the use of automated Internet accounts – bots – to provoke political divisions within the US. The report warned that the Russian government had used social media platforms, such as Facebook, in an attempt to influence the outcome of the U.S. election. Through EPIC’s Freedom of Information Act litigation, we were able to confirm that the classified report contained identical findings to those that appeared in the public report. The problem was real and widely known across the federal government

In EPIC v. FBI, we sought records concerning the FBI’s response to an attack by a foreign government on the political institutions of the United States. As the lead agency responsible for the protection of US organizations from cyber- attack, we believed that the public had the right to know whether the FBI had fulfilled its responsibility to safeguard the American public. [Story about how FBI notified John Podesta that his email was breached several days after the national news had widely reported the story.] EPIC’s FOIA work shows that the FBI failed to follow the stated procedures to notify victims of a cyberattack.

In EPIC v. DHS, EPIC is trying to determine the role of DHS in election integrity. As elections have moved online, there is growing concern that we are facing new risks to election integrity. Many computer scientists believe that online elections are inherently insecure and have urged a requirement for paper ballot, with the possibility of optical scanning,

In EPIC v. IRS, EPIC is seeking the release of Donald Trump's tax returns. You may be surprised that a privacy organization would seek the release of tax returns, but it is a well-established tradition that candidates for the President should make available their tax returns so as to ensure that there are no conflicts of interest or secret dealings that might compromise a public official.

This view of privacy is consistent with that of Louis Brandeis who wrote the famous article on the right to privacy in the Harvard Law Review more than a century ago. In that article, Brandeis set out the foundational claim for a fundamental right to privacy, a right to restrict the publication of true facts about an individual. But he also said that we must recognize a competing right to know, and that right to know is greatest when the private facts concern those who stand for public office.


President Trump was the first candidate for the US Presidency in more than forty years who chose to withhold his tax returns. Even though he repeatedly promised during his campaign to make those records available, he failed to do so. So, EPIC sought the public release in an open government request to the IRS. And in a second case we sought the release of tax returns of President’s Trump’s businesses. We are still litigating those cases and we are optimistic that eventually those tax returns will be made available to the public. This is not a partisan or political action. This is an effort to safeguard democratic institutions and hold accountable political leaders.

And perhaps the most significant case that EPIC undertook since the election was our effort to block a Presidential commission from obtaining access to voter data collected by state election officials.

[Discussion of EPIC v. Presidential Election Commission and the protection of state voter data, which led the end of the Commission and the deletion of the data wrongfully obtained.]

All of these cases seek to promote government accountability, to safeguard democratic institutions, and to ensure that the public is able to understand and assess the threats to the election system.



Our democracy is shaped in increasingly by Facebook, the social media platforms that intermediates our society and shapes our political dialogue. For more than a decade EPIC has worked to establish democratic accountability for Facebook

  • - 2007-2009 campaign – democratic accountability
  • - 2009-2011 investigation and consent order
  • - 2012 EPIC v. FTC
  • - 2014-2016 Facebook’s acquisition of WhatsApp
  • - 2016 Brexit and US election
  • - 2018 March – FTC announces new investigation but no action - 2018 September – UK ICO releases report and issues fine
  • - 2018 December – still no action FTC

We believed that the consent order, obtained in 2011, was an enormous victory and that we had established legal accountability for the company’s business practices. But the FTC ignored reported warnings that the company was violating the terms of the consent over. In the seven years since the original judgement, the FTC did not issue a single fine against the company.

It is easy to see the ineffectiveness of the FTC with a comparison of the UK Information Commissioner. Following the news of the Cambridge Analytica, and in less than six months, the British Data Protection Agency conducted a detailed investigation, issued a comprehensive report with recommendations, and imposed a substantial fine.

The US FTC’s failure to act in the Facebook matter has had real consequences. It is quite possible that if the FTC had enforced the order and prevented third party access to personal data without meaningful consent, there would have been no Cambridge Analytica, no Brexit, and no election of Donald Trump.


Artificial Intelligence and Transparency

One of our newest challenges concerns the growing importance of Artificial Intelligence. Increasingly the decision about individuals for employment, housing, credit, and even criminal sentencing are being made by complex algorithms that are entirely opaque. We are not against automated decision-making, but we believe it is absolutely critical that such decisions are fair, transparent, and accountable.

Several years ago, EPIC launched a campaign in support of “Algorithmic Transparency.” Our point was simple: we did not want to live in a black box society in which decisions about us are based on factors we do not see and cannot control.

More recently, we called for the establishment of the Universal Guidelines for AI. The aim is to maximize the benefits of AI, minimize the risks of AI, and protect fundamental human rights. We say specifically in the Guidelines that governments should not establish secret profiles or score citizens or residents.

We launched the Universal Guidelines at the Public Voice conference in Brussels in October with the support of Helen Dixon, the Data Protection Commissioner for Ireland

The Universal Guidelines have now been endorsed by more than 200 experts in 40 countries, and 60 NGOs, including the American Association for the Advancement of Science.

We hope that the Universal Guidelines will provide the basis for national law, international agreements, professional codes of conducts, and the design of systems.

In the digital age, access to justice will require the ability to access, interpret, and regulate the computer rules – the algorithms -- that determine justice.


Role of Ireland

But our concern today is to ensure accountability for the giant firms, such as Facebook, that now dominate our lives. We do not oppose innovation. In fact, innovation emerges from competition.

And it’s easy to criticize Facebook for their business practices and their disregard for the rights of internet users. However, the real responsibility lies with those who have the authority to regulate internet companies and protect basic rights. We must expect more of those who are responsible for safeguarding the public interest.

Ireland’s role as a key regulator of the internet giants is being watched worldwide, particularly by organizations that advocate for human rights and privacy. This is a big responsibility for any country, but a responsibility that cannot be shirked.

As home to the European headquarters of the world’s biggest social media corporations, Ireland now has a critical responsibility to safeguard fundamental rights in the digital age. Enforcement under the GDPR and new laws to address the challenges of fake news and hate crimes in cyber space should be top priorities for the Irish Government.

We appreciate the opportunity that FLAC has provided to work together on these important issues. Thank you again for your kind attention. I look forward to your questions.