A thinktank backed by three US global tech giants has proposed a grand bargain with the US government on data privacy.
The Internet Technology and Innovation Foundation, which is supported by Google, Amazon and Facebook has called for a single federal data privacy law to sweep away existing federal laws and replace state by state regulation and enforcement.
New legislation is widely regarded as inevitable in the US while state laws such as California’s new privacy act are already set to curtail the tech giants’ freedom of action.
Arguably the most controversial proposal is for the new act to replace the Children’s Online Privacy Protection Act, introduced in the late 1990s, which creates a cut off point for collection of data on those aged under 13. Google and Facebook have been sued many times for breaching the act. Many Democrat legislators are opposed to the legislation for this and related reasons.
The tech firms are also very concerned that the US might seek to emulate strict European Union regulations such as the General Data Protection Regulation.
Balancing privacy and the economy
The ITIF addresses the EU legislation directly. It says: “If Congress passes data privacy legislation, its key task will not be to maximize consumer privacy, but rather to balance competing goals such as consumer privacy, free speech, productivity, U.S. economic competitiveness, and innovation.
“It is relatively easy to pass legislation to maximize consumer privacy. Indeed, the Europe Union did just that when it created the General Data Protection Regulation (GDPR)—a set of strict data protection rules for EU member states—which went into effect in May 2018. But this regulation came at a steep price: high compliance costs that were passed on to consumers; reduced choice in the digital economy as some firms choose not to provide services; and limited innovation as it becomes much more difficult for organizations, including non-profits, to use data to innovate and improve services.”
It also argues that legislation must not damage US digital competitiveness.
“Crafting privacy legislation that balances key goals is more difficult, both conceptually and politically, but it is essential if policymakers do not want to derail the continued success of the U.S. digital economy. Crafting such legislation requires a thorough understanding of the direct and indirect implications of various data protection policies. Policymakers who ignore the complexity of complying with privacy laws or the hidden costs of these regulations risk creating rules that undermine the digital economy by restricting the overall digital ecosystem and the benefits it provides consumers.
“The goal of data privacy legislation should therefore not be to myopically maximize consumer privacy, but to maximize consumer welfare. In other words, consumer welfare involves privacy. It also involves lower prices (or free products and services) and the development of new products and services. This approach requires finding the optimal level of regulation for the digital economy, with rules that are neither too weak nor too strong.”
The bargain calls for a huge range of measures, which offer improved transparency and a more coherent nationwide approach to punishing data breaches, but it is aimed at removing many regulations too.
- Creating a single set of data privacy rules for the United States.
- Create a comprehensive federal data privacy law and pre-empt state and local governments from passing legislation that would add to or diminish from these rules.
- Create a single data breach notification standard for all users while simplifying compliance by pre-empting any conflicting laws from states.
- Create a common set of federal protections for all types of data.
- Rescind existing federal data privacy laws and create a common set of federal protections.
- Ensure sector-specific regulators stay in place to oversee these changes and continue future enforcement.
- Scope rules to apply to all types of data.
- Exempt publicly available information.
- Exempt de-identified data.
- Create data protection rules based on both the type of data and the type of entity collecting the data.
- Distinguish between non-sensitive and sensitive personal data.
- Designate a subset of services provided by covered entities as “critical services,” which are subject to higher standards and requirements.
- Allow opt-out of data collection when organisations provide critical services collecting non-sensitive personal data, or noncritical services collecting sensitive personal data.
- Require an opt-in standard when organizations provide critical services collecting sensitive personal data.
- Establish clear consumer rights including a limited right of access that accounts for costs, a limited right to data portability that accounts for costs and a limited right to rectification for sensitive data collected by critical services.
- Address concrete consumer harms, rather than hypothetical ones.
- Give the Federal Trade Commission jurisdiction over privacy enforcement. Oversight requirements should weigh costs of compliance with benefits.
- Focus enforcement on substantial consumer harms, not hypothetical ones.