By Guy Cohen, Head of Policy at Privitar 

Quite apart from the privacy violations US citizens experience, the lack of federal privacy legislation in the United States erodes public trust in the use of their personal data by all organisations, especially private sector ones, which has other damaging effects. COVID-19 has been a stress test for our institutions and infrastructure, shining a spotlight on issues with public trust in particular.

1) It’s past time. The U.S. needs federal privacy legislation.

In 2020, we now depend greatly on our data infrastructure, and the lack of public trust in that infrastructure is becoming a real problem. One specific example is contact tracing apps, which have emerged as a tool to assist in tracking and managing the spread of COVID-19. However, those apps require public buy-in and support to be effective. As of early October, North Carolina’s COVID-19 contact tracing smartphone app had been downloaded 85,000 times, which translates to just 0.48 percent of the state’s population. Virginia introduced an app in August and had 460,000 downloads after one month, about 5 percent of the state’s population. Pennsylvania had 1.4 percent of its population download an app, and Alabama just 1.5 percent. With adoption this low, tracking and managing the pandemic in the United States hasn’t been very effective. Germany, on the other hand, has very strong data protection laws and has already seen nearly 20m downloads.

The forces driving the need for robust privacy protections have accelerated this year, and not only because of the pandemic. Today’s privacy issues are a by-product of a data driven world, and with people continuing to live more of their lives online under lockdown, the importance of data privacy has grown. The problem with not acting isn’t just the cost to privacy, it’s that it also puts the promised benefits of the data age at risk. If we want to take advantage of tools such as contact tracing apps, we need to make sure those tools are trustworthy, otherwise they won’t be adopted. Trustworthy data management needs to be both perception and reality.  When individuals have enforceable rights of their data, know that there are rules for how their data will be handled, and mechanisms to ensure their rights are upheld, they feel more confident that they can share their data safely. We’re not there yet, but strong federal privacy laws will help.

2) The U.S. should draw on existing data protection laws.

The General Data Protection Regulation (GDPR) provides some sound concepts when it comes to data protection, but regulators should not adopt the GDPR wholesale when they draft federal privacy regulations for the United States. There are several common requirements in most data protection laws today, including the following:

  • Principles such as data minimisation
  • Rights such as subject access and right to erasure
  • Obligations such as privacy notices and data breach reporting
  • Enforcement such as through an independent sufficiently resourced authority with appropriate investigatory and enforcement powers

These common aspects of data protection laws are not specific to Europe or Brazil, they’re good ideas and should appear in the U.S. law as well. However, not everything in the GDPR is great. For example, small and medium sized enterprises who don’t process large volumes of sensitive data have struggled to understand their obligations, and arguably your local corner shop is not a significant source of privacy risk. Similarly, concepts of ‘special category data’ arguably aren’t suited to the data age, where proxies allow for inferences, and seemingly innocuous data sets can reveal highly sensitive properties.

3) We need policy innovation to match tech innovation.

One of the major questions for U.S. federal privacy legislation is whether it should be pre-emptive or not. That is, should states be able to pass stronger laws on top of the federal law or not? Pre-emption provides consistency between states, which helps business and also ensures citizens rights don’t differ based on where they or the data controller is based.

However, it also prevents innovation, and we still need a lot of policy innovation in this space. The history of European Data protection law is relevant here. Data protection law started off as something countries did independently. The UK passed its first data protection law in 1984. Later, Europe decided there needed to be greater consistency and passed the data protection directive in 1995. A directive, unlike a regulation, leaves a lot of wiggle room for nation states. Then in 2016 the EU passed the GDPR, making the law much more consistent across the EU, but it still left in around 50 different areas where nation states had ‘derogations’ — which meant they could choose how they implemented that part of the law.

We don’t need innovation in every area, and consistency matters more in some areas than others. For example, rights of access, correction, and deletion are all pretty well established elsewhere; there isn’t much need for these to vary by state, and arguably it would be unfair to consumers to vary these rights. On the other hand, questions on how to effectively regulate technologies such as facial recognition is much less clear, and a solution might be found fastest by letting states take different approaches and seeing which works best.

Our recommendation would be to have a pre-emption on the most important and agreed upon topics, like the core topics mentioned above, with specific derogations where there is significant disagreement or where innovation is needed.

4) Compliance requires well-resourced enforcement.

The second area of major disagreement between the political parties is over enforcement. The crucial issue is whether enforcement is left to a regulatory body or individuals are able to bring private rights of action in the courts and seek compensation for harm resulting from non-compliance. However, private rights of action (PRA) can be expensive for organisations that are trying to get it right. PRA may also not be particularly effective for data subjects, who may not receive much in compensation and then have to wait a significant period of time to get compensated. PRA is ultimately a reactive rather than proactive measure in which the only clear winners would be lawyers. The ideal scenario for enforcement is a well-resourced, active regulator. In the absence of this ideal option, we support the PRAs. The worst outcome of all is weak authorities and no PRA.

In the U.S. there seem to be two key options for where the enforcement powers sit: a new data protection authority, or giving new responsibilities and powers to the Federal Trade Commission (FTC), to work in collaboration with state Attorneys General. If the FTC leads the effort it brings data protection and antitrust powers together, which is critical in an age when products are free and data is the main source of value and competition.

Privacy protection isn’t partisan.

Both Democrats and Republicans recognise the need to protect privacy, and to gain the trust needed to mobilise data in the crisis. Although there is disagreement on some key provisions, there’s room for compromise and adjustment on both sides. We need to have balanced conversations about the demand for consumer data access and how to protect Americans and their sensitive data, so that we can use that data to innovate responsibly — and possibly improve health outcomes. In the interim, America is left lacking any federal standard, and the harm caused by that absence continues to build.

Watch the recording of our In:Confidence Digital panel discussion on data, digital transparency, disinformation, and privacy in the 2020 U.S. election.

Compliance