Computers, Privacy & the Constitution

LexisNexis? Third-Party Data Sharing With ICE and Potential Human Rights Violations

-- By AliJimenez - 9 May 2022

Third-Party Data Sharing & Implications

Companies have increasingly relied upon vendors for services. Third-party vendor use has been defined as a person or company that provides services for another company (or customer). These services range from assisting with cloud web hosting services, cloud-based software solutions, equipment maintenance, and contractors, to name a few.

Since Third Party vendors are companies with written contracts to provide products to customers on behalf of an organization, they typically have access to sensitive data like company, customer, and employee information.​​ Even though companies consciously outsource their needs and data to third-party vendors, privacy risk is considerable for individuals who engage with their database because their data can land in hands they did not intend. Making matters worse, the law tends to protect the outsourcing of data provided by individuals. Thus, individuals must consciously check how their data is being utilized to ensure they willingly give their information in ways they deem acceptable.

Background on LexisNexis? Data Sharing Contract With ICE

On April 2nd, 2021, LexisNexis? signed a $16.8 million contract to sell private data information to U.S. Immigration and Customs Enfrocement. While LexisNexis? has been known to many in the legal profession as a legal research tool, this expansion in their role as data brokers for ICE meant that LexisNexis? can provide the government with access to large amounts of personal data information.

With the help of LexisNexis? ICE specifically uses the information provided to aggregate data and build profiles on individuals they deem may be acceptable targets for deportation. They compile these profiles by stitching together criminal records, credit and employment history, utility bills, and license plate numbers, among many other data points. This has dire consequences for immigrant communities.

The Legal History of Third-Party Data Sharing

Precedent on privacy rights and data is outlined in Katz v. US. In this case, the Court held that the Fourth Amendment protects people, not places. Essentially, when a person knowingly exposes information to the public, that information is not subject to Fourth Amendment protections, but what they seek to preserve as private if even in an area as publicly accessible, may still be constitutionally protected. The two-part test that came forth from this case law was information would be constitutionally protected if “first that a person has exhibited an actual (subjective) expectation of privacy and, second, that the expectation is one that society is prepared to recognize as 'reasonable.' This essentially set the history for the privacy cases that followed.

Looking forward, in United States v. Miller, the Court further expanded on this case law to provide the proposition that “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third-party will not be betrayed."

Thus, legally speaking, once third-party disclosure occurs, any fourth party who can evade that legislation is free to hand such information to the government.

Legality of LexisNexis? ’s Contract

Since ICE uses LexisNexis? in immigration enforcement, the question then naturally arises is this a privacy violation? LexisNexis? acquires information on immigrants from third-party digital intermediaries that transmit and store their information. LexisNexis? then provides this information to ICE, a governmental agency. Thus, when looking at the case law, it seems as if LexisNexis? and ICE are within the realms of legal action under privacy law. Once a third party provides this information to an additional company, this information can legally be provided to the government.

This is yet still concerning. This data sharing has implications for immigrant communities that are extremely harmful and even life-threatening. Thus, the question of how to correct this course of action remains.

Potential Solutions to the Issue

While data breaches are not always at the hands of the original organziation, for customers, these breaches will always be associated with the company they are doing business with. Thus, even if a breach is a result of a third-party services provider, the organization is seen as the source of that privacy concern. This also presents legal issues since the organization itself often will have difficulty showing the steps it took in risk mitigation and will retain responsibility even if a third party handled its data. Thus, it is essential for organizaitons to set up strong cyber vendor management procedures. Not only for customers, but their own safety.

Potential Solutions to Maintaining Privacy Amidst Third Party Vendor Use

Another means for correcting these privacy violations is declaring these human rights violations. According to regulations put forth by the United Nations Human Rights Council, all businesses have a responsibility to respect human rights. LexisNexis? is also held responsible for these guidelines. The Guiding Principles on Business and Human Rights details what companies must do to meet their international human rights responsibilities.

A business must evaluate how the actual or potential adverse human rights impact connects to the business. For example, suppose a business itself does not directly harm human rights, but an impact is linked to its operations, products, or services and caused by a party with which it has a business relationship. In that case, the business must use its leverage to mitigate the impact and, if unsuccessful, consider ending the relationship with the violating entity.

There is likely a potential means to correct this significant privacy issue through human rights violations. The company is contributing to human rights violations for immigrant individuals within the US by subjecting their information to ICE through their data analysis technology. Since LexisNexis? has not stopped or prevented its contribution, human rights remedies are likely in store.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 09 May 2022 - 17:41:40 - AliJimenez
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM