Personal data has become essential both to mitigate COVID-19 and to rescue our slowing economy. For example, Google is using its large trove of personal data to track the effectiveness of social distancing. Firms are also using personal data to supply us with goods and services from toilet paper to in-home meetings. Meanwhile, policymakers are using personal data to provide individuals with stimulus checks and unemployment insurance. Governmental bodies are also teaming up with data-sector firms to direct users to testing clinics, inform the public about COVD-19 disinformation or feed workers on the frontlines.
To accomplish these tasks, government officials, corporate executives and netizens will have to share — and at times buy and sell — personal data. But the U.S. has no national law delineating how firms can acquire, use, and monetize personal data. While the US has some laws governing the use of certain types of data or data use in specific sectors, a lot of personal data falls through the cracks. Meanwhile, although they have made progress on draft legislation, Congress is unlikely to pass a privacy law in the near future. Finally, the Trump administration has not made a personal data protection law a priority.
In this policy vacuum, there is a path forward.
Securities regulators could use existing authority to mandate transparency of data markets and prod firms to protect user data.
Although many societal institutions rely on personal data, most personal data is held by firms that anonymize, utilize and sell such data to provide goods and services to customers, which include governments, other firms, and individuals. These firms use sophisticated analytics to create new products and services. Over time, these products and services generate even more data, which, in turn, further perpetuate these firms’ market power.
However, the market for data is opaque. Because we know little about supply, demand, prices, buyers or sellers, this market can be inefficient and benefit some market actors over others.
While a few huge firms profit from the supply of personal data, data suppliers — you and me — don’t know much about how our data is used and monetized. We can only hope that our data is adequately protected, but several studies have shown that anonymized data can be de-anonymized when researchers cross multiple data set as they need to do to solve the problems we confront today.
Some governments are trying to ensure that when data is utilized by public or private actors, personal data is protected. Building on its General Data Protection Regulation, the European Commission recently put forward a data strategy that sets clear rules on access and re-use of data, protects personal data, accommodates the mixing of public, personal and proprietary data, and facilitates innovation by academic, business and governmental sectors.
U.S. financial regulators already have the tools to reform data markets.
The Securities and Exchange Commission (SEC) already requires that firms report on what they are doing to address cyber-threats, noting that “cybersecurity is the responsibility of every market participant.” Inadequate personal data protection is also a threat to the health of firms, as we have seen with companies such as Target, Equitable, and Ashley Madison that did not do a good job of protecting protect large troves of personal data. Specifically, the SEC should ask all publicly traded companies to disclose how they acquire and utilize personal data and divulge which firms they sell these data to. Such mandated transparency would accomplish two things: make the market for data less opaque and incentivize firms to do more to protect personal data.
America can’t mitigate the virus and revive the economy without effectively using personal data. But COVID-19 provides us with an opportunity to rethink how we can protect the personal data of users while making the market for personal data more transparent, equitable and competitive.
Susan Ariel Aaronson is director of the Digital Trade and Data Governance Hub and a professor at George Washington University. Patrick Leblond is associate professor and holds the CN-Paul M. Tellier Chair in Business and Public Policy at the University of Ottawa. They are both senior fellows at the Centre for International Governance Innovation.