Editor’s note: Alex Alben is the Chief Privacy Officer for the State of Washington. He discussed privacy, data, and smart cities on this panel at the 2018 GeekWire Summit.
COMMENTARY: This year’s mid-term election raises the prospect that Congress will finally tackle the need to protect the data of American citizens.
With a new Democratic majority in the house and a GOP-controlled Senate that has been critical of tech companies, we may see an opening for a bi-partisan bill that recognizes the privacy patient is now in critical condition. Here are some salient data points:
— We learned this year that Facebook allowed the personal data of 50 million users to be shared by a political data firm, Cambridge Analytica.
— Google recently admitted the exposure of personal information of hundreds of thousands of Google+ users.
— American consumers have yet to recover from the huge data breaches at Yahoo!, Anthem, Premera, Equifax and scores of others.
— The penalties in these cases tend to be trivial. Despite consumer outrage, the behavior of these companies does not change.
— Just a few weeks ago, Apple CEO Tim Cook told regulators: “Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. Today, that trade has exploded into a data-industrial complex.”
Consumers have demanded more privacy protection, but government at all levels has largely failed to act. While many of us might, understandably, be depressed by these trends, there is a path forward, so long as we correctly diagnose the problem and don’t overreact in terms of remedies and adopt a balanced regulatory approach that safeguards consumers while protecting tech innovation.
First, we need to simply acknowledge that data has proliferated but data protection hasn’t. Over the past 20 years, we have witnessed the birth of the data mining industry. This technology sits behind almost every consumer application — both online and in brick and mortar stores. Your supermarket is tracking your purchases and storing the data. Its terms of service probably allow it to sell that data to others, who can market more products to you. In the U.S., this “virtuous marketing machine” is perfectly legal. And it is highly profitable.
Yet, the creation of pools of data — from consumer transactions to health care to finance — creates enormous risk. When it gets into the wrong hands, personal data can, in fact, be “weaponized” as Tim Cook says. It can be used for identity theft. It can be sold on the Dark Web. It can even be used for blackmail.
Yes, it’s true that social media and other platforms offer a free service in exchange for use of our data. But the scope of this data sharing and collection has reached absurd proportions. Facebook collects over 50,000 data points about each and every customer. Companies are routinely tracking our personal location through the GPS signals of our cell phones. The data broker industry in this country is a multi-billion dollar business and that business is built on our personal data, frequently collected without our knowledge or consent.
Second, we can find solace that things are different in Europe, where the privacy bar has been raised by a sweeping new set of laws. As you know, the General Data Protection Regulation went into effect at the end of May of this year, ushering in a new era of privacy protection for citizens of the EU. GDPR builds on decades of privacy regulation in Europe. They take privacy quite seriously there. In fact, it is considered to be an inviolable human right.
The good news is that American technology and other companies made major investments to comply with GDPR for their European customers. And some of them, such as Microsoft, have stated that they will apply these new protections across the board, even to Americans. In short, the privacy bar has been raised. The question now is whether we will seize this moment and act to put in place higher standards for the collection and processing of the personal data of Americans.
We all know that the federal government has failed to act in this space. As a consequence, the field is wide open for regulation to address how data is collected, profiled and sold without user consent. States can do so under traditional “consumer protection” law. We have had a consumer protection statute in Washington State since 1986. We passed a data breach law in 2015. We passed two laws regarding the use of biometric identifiers in 2017. But we can do more. Discussions have already begun in our state legislature to create a more sweeping law recognizing the public’s privacy rights and need to control their data. If Washington and other states act, Congress may feel the pressure to draft its own legislation that harmonizes a national approach to respecting data rights.
Finally, whether or not we pass new laws, we need to invest more in privacy and cyber security. If data is the driver of state government, then data protection needs to be the “high order bit” in our equation. Washington State started down this road three years ago by creating an Office of Privacy and Data Protection. We called for state agencies to develop Open Data plans. We also have organized our Office of Cyber Security to guard our network and promote security standards across the state enterprise.
In short, we need to get ahead of new technology, not be simply reactive. We are a tech leader and need to behave that way. New technologies are coming down the road — block chain, biometrics, robots, AI — and we need to develop strategies and specific applications for each one. Each of these new technologies has major implications for privacy, as they are built on data sets. Unfortunately, we haven’t done a very good job embracing these new inventions to date. We have major public universities in Washington state and vital centers of learning. We have the brains to tackle these issues and if we are serious about the privacy rights of our residents, then we must embrace new ideas and imaginative solutions to protect the data of the people who work and live here.