The United States lags behind other countries when it comes to privacy. As part of their Privacy Project, the New York Times editorial team recently explored how Europe has succeeded in passing sweeping data protection regulations while the U.S. muddles along with decades-old legislation. Fortunately, there are significant signs of change, as state after state pursues privacy legislation and public opinion has dramatically shifted in favor of data privacy. Even major proponents of self-regulation are finally acquiescing that some regulation is necessary. Congress should harness this momentum and craft legislation that integrates data privacy as an individual right and enabler of innovation and development. The whole world is watching. If done well, the U.S. can provide the global model for data privacy as a fundamental right and essential component to a functioning democracy.
Europe’s General Data Protection Regulation (GDPR) is the most prominent legislation focused on individual data protection and currently serves as the global democratic model for digital privacy. Europe isn’t alone in implementing vast data regulations. Across the globe, governments are enacting significant legislation focused on data access and privacy, the majority of which are by authoritarian regimes that increasingly mandate government access to data. Absent a more prominent democratic model, the authoritarian model is diffusing and significantly debilitating privacy and individual rights across the globe.
The U.S. can, and must, fill this global vacuum while reinforcing American ideals of individual freedom and democracy. Domestic public opinion has dramatically shifted over the last few years thanks to third-party data sharing scandals such as Cambridge Analytica, the continuous drumbeat of data breaches such as Quest, Marriott, and Equifax, irresponsible data management that has left databases and cloud servers exposed online, and case after case of nebulous data collection practices that strike at the heart of privacy and security.
While Congress continues to introduce a broad range of legislation and holds hearing after hearing on data privacy, states are moving full steam ahead. California’s Consumer Protection Act (CCPA) goes into effect in January 2020, and is currently the most far-reaching policy—but faces significant forces seeking to weaken the law. Passed last year, the CCPA has helped ignite a broader state-level movement. Vermont has passed legislation aimed at data brokers, while Nevada’s law that comes into effect in October focuses on consumer protections against the sale of their personal data. Two consumer privacy bills have been filed recently in the Texas legislator, while Maine’s governor just signed into law consumer protections against internet service providers from selling their browsing data without consent. A recent New York proposal arguably goes the farthest to provide individual data rights by empowering individuals to sue over data rights violations. The New York proposal also integrates the notion of data or information fiduciaries, wherein companies agree to certain security and privacy responsibilities and are prevented from using individual data in a way that advantages corporations and is detrimental to individuals.
These are just a few of the many state-level privacy regulations, each of which takes distinct angles toward data privacy and security. These laws reflect the growing demands of their constituents but also have served as a significant forcing function for a federal law given the business complexities that emerge due to the growing patchwork of industry and state-level legislation.
At the federal level, there are no shortages of proposals pertaining to data privacy, but none have yet succeeded in becoming a law. The New York Times editorial team succinctly highlights several shortcomings in some of the existing proposals, including the concern over preemption. In this context, preemption refers to the passage of a federal law that would weaken many of the state-level privacy regulations.
While preemption absolutely is a valid concern, there also are proposals that more appropriately address the current security and privacy challenges. As the editorial team notes, “many of the privacy bills introduced this session show a sophisticated understanding of the market for personal information, the nation’s woefully inadequate cybersecurity and the many dangers posed by a sector of the economy that has proved itself incapable of self-regulation.”
These federal proposals benefit from existing state-level privacy laws as well as the GDPR, internalizing lessons learned and insights from predecessors. In this regard, the U.S. could actually benefit from a second-mover advantage by taking these lessons learned and harnessing the current momentum to reaffirm a commitment to digital privacy as a core individual right and foundational to a modern democracy. This will not only require opposition to the influential groups favoring preemption, but it demands a nuanced understanding of the complexities of privacy within the current threat and emerging technology landscape. However, by building upon those lessons learned, the U.S. has a golden opportunity to embrace the current privacy movement, reassert global leadership through a comprehensive federal privacy law, and help shape the future of privacy, the internet, and democracy across the globe.