Stefanie Coyle, Education Counsel, NYCLU  & Irma Solis, Suffolk Chapter Director, NYCLU

The pattern is now familiar.

An immigrant student in Long Island’s Suffolk County is disciplined for “gang related” activity, often for something trivial, like wearing a Chicago Bulls t-shirt. Weeks or months later, the student is spirited away by Immigration and Customs Enforcement, detained — sometimes thousands of miles from their family — and put at risk of deportation.

What remains unclear, however, is the exact role the Suffolk County Police Department is playing in this tragic saga, which impacts dozens of immigrant students in the county.

The NYCLU sued SCPD this week to get answers. The suit comes after the department failed to respond to our Freedom of Information Law requests sent in August that sought information on its role in the identification and detention by federal authorities of immigrant students accused of gang involvement.

Our request was sent after NYCLU received several reports from families that ICE was targeting their children for removal after school officials had, in coordination with Suffolk police, disciplined students for gang-involvement based on flimsy evidence and vague criteria.

Officials at high schools in Suffolk County have suspended students based on questionable evidence of gang-affiliation, such as wearing clothing that police think is gang-related. But here’s the catch: Neither the police nor the schools tell students what clothing is not allowed.

While SCPD has refused to turn over information to us, the department has been pretty open about its close coordination with ICE and the Department of Homeland Security. This is especially true when it comes to the department’s heavy-handed crackdown on alleged MS-13 gang members.

“There are times when we know someone is an MS-13 gang member, and we know someone is an active MS-13 gang member, but we’re not in a position to make a criminal arrest,” Timothy Sini, the then-Suffolk County police commissioner and now Suffolk County district attorney, told the New York Times in June. “So another tool in our toolbox is to work with the Department of Homeland Security to target active known MS-13 gang members for violation of civil immigration laws, which is another way to remove dangerous individuals from our streets.”

In other words, when SCPD doesn’t have enough evidence to show someone committed a crime, police work with Homeland Security to get them removed from the country anyway based on the department’s assertion that the person being deported is gang affiliated.

But, as we’ve seen firsthand, the department’s claims about who is a gang member often don’t hold up.

NYCLU sued the Office of Refugee Resettlement (ORR) in February for indefinitely detaining dozens of immigrant children who had been placed in restrictive detention facilities. The lead plaintiff in the class action suit was suspended after he flashed two middle fingers at another student, and school officials accused him of displaying a gang sign. A few months later, he was detained by ICE and incarcerated for over seven months until our lawsuit was filed, despite an immigration judge ruling that he posed no danger to the community or to other students.

In documents presented to the judge, ORR said that Suffolk police had identified him as a gang member, even claiming he had gang tattoos. But he has no tattoos whatsoever and had never had any contact with the police. No one should be subject to suspension on a whim, especially not when that suspension could lead to detention and deportation.

It is undeniable that Suffolk County has a serious gang problem. But the cruel irony is that SCPD’s ham-fisted crackdown and close coordination with ICE make it more difficult to address the issue. The help of the immigrant community is critical to solving the gang problem, but people will be scared to talk to the police if they fear that any contact with local authorities could put them, or the people they care about, in the clutches of ICE.

And beyond how counterproductive this policing strategy is, it also terrifies entire communities. Immigrant teens and families on Long Island tell us they are afraid to go to school or even step outside because they are constantly treated as suspicious. By keeping their criteria for classifying people as gang members secret, and by sharing information with immigration authorities, SCPD is creating a climate of fear for immigrant families.

This has to stop. SCPD needs to be more transparent and work more responsibly with the community. The people of Suffolk County deserve answers.

Neema Singh Guliani, ACLU Legislative Counsel & Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project

Mark Zuckerberg was in the hot seat this week, facing questions from members of Congress regarding the numerous Facebook privacy breaches that have been revealed over the last month. In the wake of these breaches, many are asking: Do Facebook and similar companies need to be regulated?

In considering this question, the U.S. can learn from the approach being taken by the European Union in its new data protection law, called the General Data Protection Regulation, or GDPR. Congress should look to this model and similarly enact comprehensive privacy legislation. Regardless of whether the latest debacles result in better policies at Facebook, consumers should not be reliant on the good will of companies for their privacy. Indeed, CEOs have made promises before only to renege on them as public outrage fades or profit temptations grow.   

The GDPR is an example of something many other countries have also adopted: a baseline comprehensive consumer privacy law, which puts into place some broad rules for the fair treatment of people’s information and creates shared expectations and understandings for consumers, businesses, and government alike. It also creates standards that will likely end up extending, at least in part, to internet users in the U.S. As a result, it will likely have a big effect on Americans’ privacy, and not only with regard to Facebook.

The EU has had an overarching privacy law since 1995, but the new law, which goes into effect on May 25, is significantly stronger — despite the lobbying efforts of Facebook and other American companies to weaken the GDPR’s protections.

While the new law only applies in the EU, it will help protect Americans’ privacy in several ways. First, the EU law raises international standards for privacy, and will influence policymakers in Asia, India, and other countries around the globe, creating a broad culture of compliance with privacy rules among the executives of global companies. That will inevitably spill over into how Americans do business.

More immediately, however, companies like Facebook that do business in both Europe and the United States will need to either do business in different ways in each location, or unify their practices to comply with the GDPR. Inevitably, in some cases they will choose the latter.

For example, one provision of the GDPR requires certain companies that control how and when data is processed to give users a copy of the data held about them within a set period of time in a commonly used electronic format. But many companies, especially large, global ones, hold data scattered across numerous departments, divisions, and databases. Such companies are currently working furiously to map and classify the data they hold so that they can comply with data requests and other obligations. That will affect the very structure of companies’ data operations.

Such considerations don’t just affect big international companies like Facebook. A lot of companies will be affected not because they do business in the EU but because they do business with a company that does business in the EU, explained Kurt Wimmer, a lawyer who helps companies think about compliance with the GDPR, at a recent conference. Wimmer also noted that since a lot of startups want to be bought by a larger company, they are starting to think about GDPR compliance as they design their company structures and practices. In fact, any company that wants to be a more attractive acquisition target, or that might want to enter the EU market at some point in the future, can benefit from structuring its operations the pro-privacy way, because restructuring data systems is not something that can be done overnight. As an example of the reach of the EU law, Wimmer said that The Washington Post, a seemingly entirely domestic American company, is planning to comply with the GDPR.

One of the criticisms of the EU’s old data privacy law is that enforcement and compliance were very lax. But the GDPR comes with a very heavy stick: Violations of the law can result in a fine of 4 percent of a corporation’s global annual revenue — a giant sum in the case of a large multi-national. As Wimmer put it, “the 4 percent fine is huge. That really has everybody’s attention.” Before the GDPR, he said, “data protection law was more of an IT or law department thing; now it’s a CEO-level concern, and that’s when companies really get serious about complying.”

One of the most important effects of the GDPR is that it could create pressure on companies like Facebook to provide U.S. consumers the same ability to control their data that the law gives to Europeans. In addition to the right to access one’s data, other important provisions of the GDPR that increase consumer control include:

• Consent requirements: The GDPR requires (absent other specified circumstances) that companies get users’ consent to collect, use, or otherwise process their personal data. The law tries to prevent this requirement from being rendered meaningless by unreadable and unread fine-print click-through agreements. It does that by requiring that this consent be specific, informed, freely given, and granted through an affirmative action or statement by the user. The company has to ask for consent in a manner that is intelligible, easily accessible, and uses clear and plain language. The user is also given the right to withdraw consent at any time.
• Take it or leave it: The regulation presumes that consent is not freely given if a company makes a “take it or leave it” offer, which says, “you can’t use our service if you don’t consent to data collection that’s not necessary for the service.”
• Data portability: The GDPR gives users the right to receive a copy of their data in a “structured, commonly used and machine-readable format” and to have this data transferred to another provider. The intent is to let consumers leave a platform without losing their data.
• Transparency: The GDPR requires companies collecting data to be transparent about their data processes. That means, for example, that users have a right to know how long their personal data will be stored, what categories of personal data are collected, whether they are subject to automated decision making, who else receives their personal data, and the purpose for which their personal data is being collected, used, or otherwise processed. Companies also have to be transparent about personal data they obtain from other sources.
• Limits on marketing uses of data: GDPR provides users the right to object to the use of their data for marketing purposes.
• Automated decision-making: With certain exceptions (such as explicit consent), the GDPR says that people have the right to not be subject to decisions based solely on automated processing if it has a legal or similarly significant effect. Given the rise of predictive algorithms in more and more areas of our lives, from insurance to policing to social services, this is a very significant protection.

The GDPR is not perfect. For example it contains a “right to be forgotten,” which in certain situations requires companies — including in some cases newspapers and search engines — to erase information about an individual upon that individuals’ request. We might not have a problem with a narrowly tailored rule that, for example, forces a company like Facebook to erase a user’s own account and data upon request. But in Europe (where free speech is generally less protected than here) their version is far too broad and if applied in the United States would likely violate the First Amendment by sometimes mandating what amounts to censorship of certain information about individuals. 

The GDPR also creates distinct protections for data that can reveal certain types of sensitive information, which may not reflect the full range of information that individuals find revealing. And as with any regulation, we don’t know how it will need to evolve as it is applied and enforced, and how effective it will ultimately be. Will it do enough to ensure real choice and transparency, and to curb the invasions of privacy that permeate so much of today’s online ecosystem? Will it do enough to ensure that consumers have meaningful choices in the market? Time will tell.

But the EU has at least begun to tackle the problem of protecting privacy in the information age. And if the EU can undertake such an effort, there is no reason that the U.S. should continue to lag behind with laws that are ill-equipped to ensure that individuals can meaningfully control their own data.

Mark Zuckerberg, in his congressional testimony, seemed to indicate that Facebook would offer “the same protections” to American users as they will to EU users under GDPR, but equivocated when asked whether Americans would have “all the rights” conferred by the GDPR. We’re not sure what he meant with that distinction, but his equivocation is worrying and Congress should press Facebook to make clear that the company will voluntarily apply all GDPR protections globally.

However, other multi-nationals that collect a lot of data about Americans may not extend GDPR rights to Americans. Regardless of any voluntary action on the part of companies, without U.S. legislation, American users aren’t going to have any legal standing to enforce the rights that EU citizens gain under the GDPR.

We shouldn’t need to rely on the promises of individual companies to protect our privacy. The GDPR will likely bring definite improvements for Americans, but our elected officials need to act as well, by creating a set of baseline privacy protections of our own.

This week, U.S. Sen. Tammy Duckworth, Democrat from Illinois, made history by becoming the first senator to give birth while serving in office. But within that headline is a truth unworthy of celebration: Due to outdated Senate policies, Duckworth may be unable to vote on legislation while she’s on parental leave.

The problem stems from the interplay of two Senate rules: Senators must be physically present to cast votes, and they may not bring children onto the Senate floor. Coupled with the fact that senators are not covered by any formal parental leave policy, these rules highlight just how out of touch the Senate is with modern life. It’s unacceptable that our public servants have failed to welcome a world in which a senator weighing in on legislation may also happen to be breastfeeding or caring for a new baby.

Duckworth is unfortunately not alone in facing a conflict between caring for her child and doing her job. Indeed, countless working parents face far worse, including outright job loss. The problem is largely that businesses are still designed for people who don’t give birth and aren’t primary caregivers. In other words, employers still cater to the male workforce of a century ago.

From pregnancy through parenthood, workers today face widespread discrimination despite laws such as the Pregnancy Discrimination Act (PDA), which was enacted 40 years ago, and the Family and Medical Leave Act (FMLA), which Congress passed in 1993.

For instance, our client, Illinois police officer Jennifer Panattoni, was forced to take roughly 7 months of unpaid leave when she was pregnant because her department wouldn’t temporarily reassign her from patrol duties. They refused her request for desk work even though the department routinely reassigns workers with other medical conditions that interfere with patrolling.

Katia Hills, a young mom in Indiana, is the lead plaintiff in our class action challenging AT&T Mobility’s punitive attendance policy. After taking time off for medical appointments, Hills lost her job because the company didn’t make any exceptions for pregnancy-related absences despite excusing other kinds of absences.

We also represent a class of female dockworkers up and down the west coast, whose ability to access high-paying union jobs is stymied by a discriminatory policy. The women’s seniority freezes when they take pregnancy-related leave, while coworkers absent due to on-the-job injuries or military service face no such penalty.

Workplace discrimination often continues after employees give birth. Those who are breastfeeding and return to the job, for instance, are often faced with employers who refuse to provide a safe, clean place to pump breast milk. This was the case for the flight attendants and pilots at Frontier Airlines, which offers no paid maternity leave or accommodations for employees who are nursing. As a result, many Frontier pilots and flight attendants have been forced to choose between going on unpaid leave and suffering the often painful consequences of being unable to pump milk at work.

Further, workplaces fail to provide parents the security they need to take care of their children and themselves. Although the FMLA provides 12 weeks of unpaid leave, only 60 percent of American workers are eligible under the law. Because there is no federal requirement for paid parental leave, only 13 percent of private sector workers have access to such a benefit.

Moreover, leave is gendered in a way that limits parents’ ability to care for their children. Sex stereotypes and discriminatory leave policies often make fathers ineligible for parental leave or unable to take such leave as a practical matter. This forces women to assume the role of primary caregiver regardless of what might be best for them and their families.

It is time our workplaces — including the U.S. Senate — adapt to meet the current reality: People who work may get pregnant, may need time off for caregiving, and may return to work while they are breastfeeding. These human conditions should not deprive them of the opportunity to continue to work if they are eager and able to do so.