Time to fix privacy regs is now …

In a different context and a different time, John F. Kennedy once said that “the time to fix the roof is when the sun is shining.”

Our nation has long enjoyed sunny weather when it comes to developing the products and services that power the digital economy. Countless citizens have gained newfound knowledge and opportunity because of the way in which the internet has transformed commerce, education and health care.

{mosads}However, when it comes to consumer privacy today, there are some clouds on the horizon.

Troubling trends have cropped up in the last 15-20 years. Data breaches are now regular occurrences and identity theft is at an all-time high.

Of equal concern is an urge to protect against these developments through government-imposed regulations. While crafted with the best of intentions, there are many indications that these efforts will result in massive compliance costs and stifled innovation rather than the desired consumer protection.

Most notable of the new government regulations is the European Union’s General Data Protection Regulation (GDPR), which went into effect at the end of May. The GDPR imposes a laundry list of requirements on companies who collect the personal information of EU citizens. And while GDPR has resulted in an increased attention to privacy, it imposes so many specific requirements that it can easily be seen as a law constructed primarily to trip up companies who fail to check every single one of its boxes.

Major U.S. tech companies have spent countless millions of dollars in compliance costs, while many smaller companies simply can’t afford those costs. Some apps and websites have chosen to cut off EU access rather than spend the money it would take to comply. Ironically, the GDPR may have enshrined U.S. tech companies as the major players in the EU market because they’re the only ones who can afford to comply.

Meanwhile, the U.S. thus far has taken an asymmetric approach to privacy and data security regulation. Certain industry sectors (such as banking and health care) have their own regulatory regimes, and each state has its own data breach notification law. A few states have implemented data security requirements, and California became the first state to pass a data privacy law in June with requirements not seen in any other state. At the federal level, the Federal Trade Commission (FTC) is the primary regulator of privacy and data security, but their authority under Section 5 of the FTC Act is limited.

This pieced-together “regulatory raincoat” has its drawbacks. It is not a replicable model, and thus isn’t a viable alternative to the GDPR internationally. It also may inspire other states to pass their own privacy laws, creating a legislative patchwork that inhibits innovation and is a disservice to consumers. 

This week’s hearing before the Senate Commerce Committee and the ongoing effort by the administration to develop a more coherent and comprehensive approach to data privacy and security has created an opportunity to bring all concerned parties together to find some common ground.

We need to start with some agreed upon principles.

Any new federal data privacy and security law should ensure that companies are implementing processes that prevent their users’ personal information from being used in harmful ways. Companies should adopt appropriate safeguards – at the development stage — to protect the personal information in their possession. The greater the risk that the information could be used in a harmful manner, the stronger the protections need to be.

Companies that collect and use personal information should be transparent about their practices. They should make those practices easily accessible and understandable and include information about the data they are collecting, how that data is being used, and what choices users have about collection and use. When practical, users should be able to decide how their data is collected and used but should also be made aware that the consequences of said choices might be diminished functionality of the product or service.

Perhaps most importantly, privacy legislation should allow companies to decide how to implement these new processes and should not require the use of any specific methods or technologies. Legislation should focus on preventing specific outcomes and allow companies to make their own choices on how to avoid those outcomes. This will allow small companies to focus on protecting their users’ privacy and securing their data without having to bring in an army of lawyers for compliance purposes.

Since the internet’s inception, American companies have been the world’s preeminent innovators — due at least in part to a regulatory regime that promoted a balance between innovation and regulation. It is still possible to preserve that balance through common sense data-protection legislation.

We need a thoughtful national standard for data privacy and security, so the world can see that there’s a way to do this right, and we can ensure tech’s “privacy roof” is structurally sound for years to come.

Matthew Starr is director of public advocacy for CompTIA.