Editor’s note: Alex Alben is the Chief Privacy Officer for the State of Washington. He will be speaking at the GeekWire Summit, Oct. 2-3.
COMMENTARY: Privacy is in the news and consumers are worried about data breaches related to their transactions, finances, and healthcare.
Controversies were sparked by the Cambridge Analytica scandal and more recent revelations of Facebook’s extensive data sharing with third parties, such as device manufacturers. Hackers bombard networks with ever more sophisticated phishing attacks, seeking to exploit network vulnerabilities. The European Union has implemented an upgraded data protection regime, designed to give control of personal information back to the individual citizen. In June, California passed a sweeping new privacy protection act for state residents.
Yet as the privacy bus teeters at the edge of a steep road, the U.S. Congress and President seem to be asleep at the wheel. While we witness fiery rhetoric at televised hearings featuring high tech CEO’s and although a few members of Congress have put forth credible proposals to protect personal data, very little actual progress has been made to date on concrete consumer protection legislation. This paralysis at the federal level benefits neither companies nor consumers, as the time has come to craft new laws for an economy increasingly driven by data profiling and artificial intelligence.
Leading companies know that keeping consumer trust will continue to be a key to their business models, especially as more “consent driven” regulatory policies come into play. That’s one reason Amazon, Apple, AT&T, Google, Twitter, and Charter sent representatives to Washington, D.C. to for a Senate hearing on data privacy Wednesday.
Apple and Microsoft have taken strong stands in the past year to protect the privacy of communications, especially with respect to government inspection and interference. The resulting Cloud Act, which passed this March, reflects the tricky balance between a corporation’s desire to protect user data — such as emails stored on servers outside the United States — and law enforcement’s desire to look at private communication once a warrant has been obtained in a criminal investigation. Yet Congress only acted in this instance as a result of Microsoft pressing its legal arguments all the way to the Supreme Court.
The dramatic series of data breaches across almost every industrial sector has touched millions of Americans who have felt the pinch of either identity theft or data exposure. At this important juncture, government should act to protect personal data regardless of the platforms they favor, because most companies have simply not invested enough in either security or data governance. If we can set standards for protection of personal data, companies will adopt to the rules of the road and build business models and data governance practices accordingly.
We can either move to a more European model of data protection, recognizing privacy as an essential human right, or we can strengthen the consumer protection statutes more rooted in American concepts of law. On the one hand, the European path will require much more of a “cultural shift” toward privacy, as the right of privacy is deeply embedded in European law and data authorities across the continent are able to step up and interpret the nuances of the new GDPR (General Data Protection Regulation) standards. For Americans, the best argument to make to a lawmaker should be, ‘why shouldn’t we have the same personal rights in our data as Europeans?’
On the other hand, new privacy-oriented consumer protection based laws would build on more familiar American legal concepts, but such new laws would require a level of coordination to allow for consistent consumer expectations and for companies to develop their data-driven business models.
Amazon and other tech companies have already voiced concern about the effect of California’s new privacy law, which gives consumers certain rights to inspect and potentially delete their data.
While there is no easy path forward, consumers have the right to feel both angered and confused. Policymakers would be wise to tackle the question of new data protection standards before trust erodes in one of the new pillars of our economy.