By Francine Berman, Edward P. Hamilton Distinguished Professor in Computer Science
Nearly nine in 10 Americans are online. If you’re reading this on one of your devices, this includes you. Who gets to know where you are, what you like, or what you buy? Who makes sure that companies collecting your personal data operate in ways that benefit, rather than exploit, you?
In a year that brought us the Facebook Cambridge Analytica election scandal and the roll-out of the European Union’s General Data Protection Regulation (GDPR), data privacy has emerged as a core challenge of the Digital Age. As we scroll through inboxes full of notifications (“Your privacy is important to us …”), many wonder why companies are not doing more to protect our personal data.
A more pertinent question is why government isn’t doing more to develop legislation that limits the sharing of consumer information without permission. Asking the private sector to put the protection and privacy of individuals before their own competitiveness and profitability creates an inherent conflict—a situation where we are essentially asking the foxes to guard the digital hen house.
It is time for the public sector to create the policy and legislation needed for a safer and more secure cyberspace. Senator Warner’s 20 tech policy proposals, and Senators Markey and Blumenthal’s proposed CONSENT Act are good starts on a comprehensive government approach needed to address this problem. We must go the distance from proposals to law to really protect consumers on-line, and there’s no time like the present.
U.S. Data Privacy Regulation Is Needed NOW
Today, collection and analysis of personal data to influence and manipulate is commonplace. Companies monitor our browsing history, emails, and purchases. They analyze our photos. They collect information on our friends and interests. They do this to make their services and products more effective, useful, appealing, and profitable.
The challenge comes when collected data is shared with others without our consent—and often without our knowledge—by companies for purposes beyond serving us as customers. Who should be able to read texts on your smartphone or access information about where you go as monitored by your fitness tracker? Can this information be used against you in court? Can you be forced to pay higher insurance premiums based on data about your interest in motorcycle racing or your purchases at the liquor store? For the most part, the answers are currently determined by companies’ internal policies, rather than protections provided by the legal structure in which they operate. Good legislation will not only articulate personal protections but add mechanisms for accountability when laws are violated, making protections meaningful and non-voluntary.
Data Privacy Regulation Is Hard To Get Right
For companies, data privacy regulation can have big repercussions. Re-engineering or re-design of products, services, and platforms to comply with privacy laws may be hard and costly. Technology changes can be major depending on system architecture, algorithms, data access policies, and other platform components. Compliance with privacy regulation can also have other consequences. Products and services whose value is increased at scale may become less useful when not enough users opt-in or too many users opt-out. However, once regulation is in place, companies will innovate as they did to create their products in the first place, as seen by current efforts to comply with Europe’s GDPR.
We don’t have to start from scratch. In the U.S., we already have HIPAA (medical data privacy), FCRA (financial data privacy), COPPA (children’s data privacy), and other targeted privacy protection laws. Experience with what’s working and what’s not can inform the development of needed consumer privacy laws. Note that tech companies must be involved in the drafting of this legislation, as legislation that doesn’t address technical realities or largely promotes unanticipated negative outcomes isn’t necessarily better than no legislation at all.
Data privacy requires both companies and the government to do their part. Let your lawmakers know that we need to draft and pass federal legislation now to ensure personal data privacy protection before there is no privacy left to protect.