Written by Bailey Cho
While the European Union adopted the General Data Protection Regulation (GDPR) in 2018, the United States still lacks federal privacy legislation to ensure consumers have control over their personal data. Why hasn’t the U.S. been able to implement tougher privacy laws compared to the EU? According to Ridhi Shetty, Policy Counsel with the Center for Democracy and Technology’s (CDT) Privacy & Data Project, there are several barriers to passing such a law in the United States.
What validates “consent” for the consumer, and what are the ethical standards of collecting data online?
A paper published last year by the Harvard Berkman Klein Center tried to tackle this very question, and it identified common themes across different frameworks when it comes to data ethics. These common principles include transparency, accountability, accuracy in how personal data is used, and nondiscrimination: companies need to verify that automated decision-making doesn't deprive historically marginalized groups of economic opportunities compared to protected classes.
When it comes to making consent meaningful, you have to keep in mind that people can't truly consent to how their data is being treated if they don't have a real understanding of what's being done with it. We often see the “terms and conditions'', but people don't always read through them because they’re extremely long and rely on complex jargon. People just accept and hope for the best, which really isn't them consenting — it's that they can't use the service unless they “consent”.
Therefore, companies must explain to consumers in a more understandable way what's being done with their data, how and why it will be shared, which third parties will be receiving it, and why those third parties will be receiving it. Companies should only collect as much data as they need for the purpose consumers have consented to, so data minimization then becomes an important factor. Companies need to ensure they don't assume a consumer's inaction or silence is consent.
What has prevented the United States from implementing tougher privacy laws, such as the GDPR?
One of the major concerns for establishing federal privacy legislation is preemption. In other words, should a federal law be able to override — or preempt — a stricter, more protective state law? CDT pushes for comprehensive federal privacy legislation, because otherwise you kind of end up having a piece-meal approach, jurisdiction by jurisdiction. Every state is going to have its own version of consumer privacy rights, and many states are starting to come up with their own privacy legislation. With state legislation, there's always going to be the question of whether it is going far enough. It's important to have federal-level legislation ensuring all consumers, regardless of where they live, will have protections that are necessary and really lacking right now.*
Another point is the private right of action: if a company doesn’t comply with privacy laws, there is an ongoing debate over who would be allowed to pursue a civil claim in court. Some people want individual victims to be able to file a claim, while others want the Federal Trade Commission (FTC) — an independent agency of the United States government — to be the main enforcing body. There is even discussion on creating a new enforcement agency altogether.
The COVID-19 pandemic has accelerated digitalization. Many employers have even invested in technologies to reduce the risk of contagion, with some employees demanding tracking and monitoring as a condition to return to the workplace. If data is being used to protect people, shouldn’t safety override privacy concerns?
There are a few problems with this argument. First, increased data collection doesn’t always ensure safety. Technology can be used to check employees' temperatures and monitor symptoms, but it does not guarantee a COVID-safe environment, especially with asymptomatic individuals. One carrier can infect others, and employers wouldn’t be able to determine if an asymptomatic employee was contagious. In this instance, you just compromised privacy without accomplishing your goal. Tech-based health screenings can increase feelings of security, but they are not a replacement for preventative, non-tech measures, such as wearing a mask, social distancing, and implementing physical barriers.
Beyond the workplace, there is also the public's hesitance to engage with certain apps. Contact tracing was appealing in the beginning of the pandemic, but not enough people have downloaded these apps for digital tracing to be effective. There were legitimate concerns that contact tracing would open up data collection beyond what is necessary to monitor public health.
Even if people don’t understand the technical details, they know that their information can be exploited. The pandemic has aimed a spotlight on long-existing inequities that data collection doesn't serve certain marginalized communities and can instead be used for harm. Therefore, a balance is needed between serving the public with technology that meets their needs, providing transparency, and satisfying the intended goal.
End of Interview.
*The Debate Over Federal and State Privacy Legislation
Federal legislation provides a consistent framework for businesses, and it also ensures citizens' rights don’t differ based on where they or the data controller is based. This allows businesses to remain more competitive because they do not have to allocate as much time and money into legal compliance, encouraging innovation in their industries. On the contrary, those who support state-level legislation argue that businesses support federal legislation to avoid tougher state privacy laws: local governing bodies are more accountable to their constituents than the federal government, resulting in stronger consumer protections [1].
Sources:
[1] theregreview.org/2020/03/19/gottlieb-persuading-privacy/
Comments