Why a Privacy Law Like GDPR Would Be a Tough Sell in the U.S
Today, the European Union cements its status as the global leader in data privacy. The E.U.’s sweeping new data privacy law is taking effect, ushering in new restrictions on what companies can do with people’s personal data and setting tough penalties for those that break the rules. In theory, there’s nothing preventing the United States from adopting a set of privacy standards that are just as broad and forceful. Indeed, many privacy advocates have called for it. But on this side of the Atlantic, it’s still kind of a data privacy free-for-all.
The European law, known as the General Data Protection Regulation, or GDPR, requires companies that collect data on E.U. citizens to use simple language to explain how they handle it. Companies must get explicit consent from consumers before doing anything with their information and allow them to request copies of their data or delete it entirely. The law also mandates that companies report data breaches on strict timelines. Fines for violations could cost them 4 percent of their global profits.
There’s no equivalent of the GDPR in the United States, nor is there likely to be one anytime soon. A mosaic of different state and federal rules, some of them vary widely, govern some of the same issues, but there’s no central authority that enforces them. That’s not to say the GDPR won’t affect the United States. It will. American companies that operate in Europe (or otherwise serve E.U. citizens) have to comply. Facebook, Google, Apple and other tech giants have revamped their privacy policies internationally in preparation for the new rules and readied new tools for people to download and delete their data, as my colleague Elizabeth Dwoskin reports. But the law isn’t legally binding in the United States, meaning that people living here don’t have the same recourse as an E.U. citizen if they believe a company runs afoul of the new law.
Google, Facebook, Apple, and others have been rushing to ready new tools for people to download and delete their data — along with revamped privacy policies and interfaces that purport to be more digestible. On Thursday May 24, 2018, Facebook said it plans to insert alerts in the news feeds of more than 2 billion users in the coming weeks, giving them a series of choices, including whether they want Facebook to use face recognition on their photos and whether the company can use information collected about them from advertisers.
Does the United States need something similar? Depends on who you ask. But here are a few reasons a GDPR equivalent would be a hard sell here.
1. There’s no agency to carry it out.
E.U. member states have their own data privacy authorities to enforce the GDPR. That doesn’t exist in the United States. The closest equivalent is the Federal Trade Commission, which is the main agency that enforces U.S. privacy policy. But its powers are thin compared to its European counterparts. It has little to no oversight over a range of businesses and industries, including airlines, universities, nonprofit organizations, and banks, for example. “Even if the FTC were to use its rulemaking authority to promulgate a set of commands, there’s no public institution in the U.S. that has that breadth of authority, and that’s a big gap,” William Kovacic, a former general counsel, member and chair of the FTC during the Barack Obama and George W. Bush administrations, told me. Other agencies such as the Education and Commerce Departments have data protection functions, and states have their own laws and regulations governing data privacy. But there’s no mechanism in the federal government to bring it under one roof. “In many ways, we have an antiquated policymaking infrastructure,” Kovacic said. “It’s a patchwork of controls that have no unifying principles and no unifying institutions to coordinate policy.”
2. Congress won’t go for it.
It’s challenging enough to pass simple legislation in a gridlocked Congress. Getting something as complex as the GDPR approved would be a huge undertaking. Privacy legislation far less sweeping than the GDPR has stalled over and over in recent years. Legislation to create a federal standard for how companies and agencies report data breaches, for example, has repeatedly dead-ended — even after hackers stole the personal information of 22 million federal workers from the White House Office of Personnel Management in 2014. The uproar over the misuse of millions of Facebook users’ data by the political consultancy Cambridge Analytica has led lawmakers to introduce a flurry of new privacy-related legislation. There’s one bill that would expand the FTC’s authority and impose new restrictions on data collection, and another that would give people greater control over what companies can do with their information. Several similar bills are up for consideration.
But rallying support around those measures and others could be a struggle, said Joel Wallenstrom, chief executive of the secure communications company Wickr. “Aside from the overall challenging legislative environment in the U.S., any proposal will face resistance from a very powerful tech lobby,” he said. “With GDPR primarily being focused on protecting European users from large U.S.-headquartered service providers like Google, Apple, Facebook, and Amazon, some policymakers may see it as E.U. enforcing a privacy tax on U.S. companies. And there is certainly less hunger in Congress to penalize or tax U.S. corporations, particularly given the 2016 electoral mandate to regulate and tax less.” Other complications could arise as well, he said. “We have some policymakers calling for stronger data protection in response to the Cambridge Analytica scandal at the same time as others are calling to mandate backdoors into encrypted communications systems designed to protect the very same users. These conflicting demands are destined to undermine each other.”
3. There’s not enough public demand for a data privacy overhaul…
The Cambridge Analytica scandal has spurred a fevered national debate about data privacy, elicited public apologies from Facebook chief executive Mark Zuckerberg and brought federal law enforcement investigations. But did it move the needle enough for the U.S. government to follow Europe’s lead? Probably not, Kovacic said. Change such as that “often takes a kind of shock” akin to the 2008 financial collapse, he said. “We wait until there’s a grievous event and then do emergency-room surgery to fix it.” He continued: “As the magnitude of the Facebook lapse becomes apparent, maybe that would be enough to galvanize some effort. But I’m not sure that’s a severe enough shock to do it.” What’s more, the GDPR’s ripple effects in the United States may have gone far enough, said Jonathan Zittrain, director of the Berkman Klein Center for Internet and Society at Harvard. “In some ways, Europe may be doing the job for us,” he said, “since companies above a certain size will be adopting GDPR-friendly practices for all users, not just Europeans.”
Amie Stepanovich, U.S. policy manager at Access Now, argued the public appetite for data privacy regulation was strong. “Cambridge Analytica and Facebook really raised the profile of this issue in the United States,” she told me. “It showed people who really weren’t sure just where they could be harmed from a privacy perspective,” Stepanovich said the spate of privacy bills pending in Congress was evidence that lawmakers had taken note of rising privacy concerns. “They’re hearing from their constituents that they need to do something,” she said. “If members of Congress are listening to what people want and what people seem to be talking about right now, this should be a top priority.”
Wallenstrom, of Wickr, agreed that the public focus is growing. “Businesses and end users want to know they own their data and no one else can access it. And while the consumer demand for privacy tech is growing in response to the lack of security guarantees by traditional tech providers, there is still far more growth in products that de-emphasize data protection,” he said. “It is fair to say that GDPR aims to regulate the protection of personal data largely because the tech industry has repeatedly shown that securing personal data privacy is not a priority
Contribution Magdalena A K Muir
Sources: