Consumer advocates and the data-hungry technology industry are drawing early battle lines in advance of an expected fight this year over what kind of federal privacy law the U.S. should have.
Earlier this month, more than a dozen privacy organizations unveiled a plan that would create a new federal data-protection agency focused on regulating the way businesses and other organizations collect and make use of personal data, even if aggregated or anonymized. The proposal would sideline the Federal Trade Commission, which has limited powers and a mixed record of holding companies to account for privacy problems.
On the other side, a think tank backed by Google, Amazon, Microsoft and other major tech companies proposed changes that would still give the industry broad authority to collect and use customer data. The Information Technology and Innovation Foundation called for national legislation that would repeal and replace existing privacy laws with a “common set of protections” intended to encourage innovation while also quashing tougher state laws.
Unlike many industrialized nations, the U.S. has no overarching national law governing data collection and privacy. Instead, it has a patchwork of federal laws that protect specific types of data, such as consumer health and financial information and the personal data generated by younger children.
States have also started to pass their own tougher restrictions. A California measure set to take effect next year, for instance, will let consumers request the data collected from them and to opt out of future collection.
Calls for a national privacy law gained force after Facebook’s Cambridge Analytica scandal last year, in which the social media giant was forced to admit that onetime political consultants for the 2016 Donald Trump presidential campaign had improperly accessed the personal information of as many as 87 million users.
Continuing revelations of data missteps at Facebook and other big tech companies have bolstered a U.S. reform movement. Its advocates take heart from recent developments in Europe, which last year enacted sweeping privacy regulations that, among other things, require companies to obtain permission before collecting most data. Several U.S. senators — including Ron Wyden, an Oregon Democrat, Brian Schatz, a Hawaii Democrat, and Marco Rubio, a Florida Republican — have already introduced draft privacy legislation.
“Privacy advocates are fed up with the FTC and with Washington failing to reign in the immense power the big data giants hold,” said Jeffrey Chester, the executive director of the Center for Digital Democracy, which helped author the reform proposal.
Their proposal would set limits on what data companies can collect and would require firms to consider correcting or deleting personal data upon request. It would also prevent companies from giving customer data to the government unless criminal investigations necessitated it.
By contrast, the ITIF report calls for a “grand bargain” that would accept a national privacy law long opposed by industry. In the foundation’s proposal, however, this law would establish “baseline” privacy protections across all industries — and would prevent states from enacting stronger measures.
“A lot of privacy activists are entrenched in creating ever more complicated rules,” Daniel Castro, a co-author of the ITIF report’s, said by email. “The only way to simplify these rules is to rewrite them.”
Privacy experts say the baseline protections in the ITIF proposal still leave consumers at the mercy of big corporations. For instance, its “limited” consumer protections would require individuals to track the companies that collect their data in order to request access or corrections, rather than shifting that burden to companies themselves, said Eric Null, senior policy counsel at the New America think tank’s Open Technology Institute.
The ITIF proposal would also prevent individual lawsuits against companies accused of misrepresenting or misusing their data, primarily to shield corporations from legal risk. Instead, only government would be empowered to protect individual rights. “A federal privacy law should include the power of a private individual to bring legal action,” said Adam Schwartz, a lawyer with the Electronic Freedom Foundation, a digital-rights advocacy group.
ITIF’s plan could potentially start a conversation in Congress over repealing existing federal privacy laws, Null said, but several Democratic lawmakers strongly oppose that. “We should build upon — not dismantle — existing safeguards,” said Sen. Ed Markey, a Massachusetts Democrat, in an emailed statement from his office.
Chris Hoofnagle, another privacy researcher at the University of California at Berkeley, called the ITIF offer “laughable,” noting that it falls short of the voluntary privacy commitments companies such as Google, Microsoft and Amazon have already made.