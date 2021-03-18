Virginia will soon join California in adopting special legislation to protect the “privacy” of consumer data.
While these laws seem reasonable, they fail to balance legitimate privacy concerns with the need to encourage innovation and competition. And if international experiences are anything to go by, then the biggest losers could be the very consumers the laws intend to protect.
Take the European Union’s Global Data Protection Regulation, which confers lofty “privacy rights” on digital platform users, like the “right to be forgotten” and additional privacy and security protections.
Unfortunately, even those tasked with enforcing the rules don’t know exactly what they mean. Ill-defined terms like “personal data” could capture a wide range of information, thus triggering exorbitant fines that smaller businesses can’t risk.
Seventy percent of British businesses remained noncompliant with the GDPR two years after its announcement, and many European tech and media start-ups simply shut down.
Compliance was unaffordable and noncompliance was just too risky.
In fact, the law’s chief beneficiaries are those working in its burgeoning compliance industry. More compliance spending means less resources for product and user-experience development.
These problems worsen where individual states, like California and Virginia, pass their own GDPR-inspired privacy regulation. A patchwork of up to 50 different privacy regulations would make running a tech company and moving data across states a costly nightmare, with potential fines under 50 different regimes.
But there’s a better way. American common law already recognizes torts for privacy breach, including “intrusion into seclusion,” and doesn’t require that the “intrusion” be physical.
It makes sense, then, to extend the tort to apply equally to digital platforms that appropriate data marked as “private,” or that obtain personal information without consent through user surveillance, as it does to unauthorized surveillance of someone’s private residence.
Unlike regulators, courts can flexibly tailor rules to novel situations, and are less likely to keep blindly applying principles that are no longer fit-for-purpose due to technological advancement.
Legislation also has a role to play, especially in specific situations involving sensitive data that call for more stringent protection standards. Already, the Health Insurance Portability and Accountability Act applies special protections to private medical information, and the Children’s Online Privacy Protection Act carries special responsibilities around data collected on children. Adopting privacy legislation federally, or through a compact between states, will foster interstate commerce and data transfers through a single national regime.
It’s an important balancing act.
From managing pandemics to life-saving medical tech, cutting-edge innovations in data collection and use are rapidly transforming lives for the better.
But our society’s transition to a data-driven economy, where living off-the-grid is hardly an option, where there are growing concerns about data misuse and cyberattacks, and where governments routinely work with or compel private companies to surrender user data in the name of keeping us safe, brings valid privacy concerns.
Our leaders must promote the safe and secure collection and use of data by public and private actors alike, while ensuring that the rules of the road don’t leave behind innovators and those standing to benefit from rapidly evolving technology.
We can minimize the unintended consequences of the GDPR by including a wide range of stakeholders in the development of these rules.
The Atlantic Council GeoTech Commission has been doing this for years, as a public-private partnership bringing legislators, innovators and policy experts together to formulate legislation and regulations.
Private companies driven by growing demand for secure data collection and storage are already making strides in offering physical, electronic and procedural privacy safeguards. Governments can further incentivize data security by minimizing their own ability to spy on users, or to appropriate user data from companies without a warrant.
If we’re going to go after big tech for having too much power over everyone’s data, then we should start with the biggest surveillance racket in town — the state.
Marar is a senior contributor and tech policy fellow at Young Voices, based in Washington. His writings on technology and innovation have been featured in Washington Examiner, Washington Times, The Hill and RealClearPolicy.