Do you remember this expression: “A camel is a horse designed by committee"?
Last week, the White House issued a discussion draft of its long-awaited Consumer Privacy Bill of Rights – and well, it looks like a camel of policy aspirations.
It definitely includes good ideas and well-meaning intentions. But it also contains an undeniable hump of mystifying definitions, requirements, and regulatory processes. That’s why the White House issued the bill as a discussion draft: This beast needs more work.
The consensus is that a consumer privacy bill is dead on arrival in this Congress. But that is really beside the point. What we need today is a framework for a national discussion about privacy regulation, and that is what the White House has given us.
Whither a federal privacy law?
Here’s why we need a federal consumer privacy law:
First, for clarity. Currently, our laws regulate privacy in specific sectors – financial privacy, health privacy, children’s privacy, etc. – each with different definitions of the data to be protected and different types of protection required. A baseline privacy law that protects all personal data – whether collected online or offline, and whether by your doctor, your grocery store, or your social network – would give clarity to both consumers and the companies who hold their data.
Second, to demonstrate our commitment to privacy internationally. In the wake of Edward Snowden’s disclosures about US surveillance programs, the entire world focused on America’s collection and use of communications data, from phone records to emails. In truth, European regulators have been complaining about America’s lack of a comprehensive data protection regime for nearly two decades. Whether or not you like the European’s formalistic model of privacy regulation, last year’s revelations gave new life to complaints about the patchwork commitment to privacy in the US. Our trading partners want the assurance of a broad, enforceable law to protect their own citizens in the global marketplace.
Third, and perhaps most importantly, to empower consumers. It is time for a law that will stop the relentless slide of personal data out of an individual’s control. There is a growing asymmetry in real and perceived power between those who collect data and the individuals who are the subjects of that data. A person may give up some information in order to get a service, but they sense that the information blows like dust out of their control and into the hands of unseen interests. A privacy law assuring baseline transparency, control, and protection will help re-align the power dynamics around personal data.
Important questions in the White House bill
The White House’s 24-page draft bill would codify long-standing privacy principles of transparency for consumers, individual control over personal data, rights of access and correction, data security, and accountability. In addition, the bill introduces new concepts intended to provide flexibility to keep pace with changing technologies and business practices.
For example, the bill introduces a (somewhat complex) review process for determining if data practices are reasonable in light of context. Moreover, it proposes a new regulatory structure to encourage codes of conduct developed by multistakeholder forums or volunteered by the private sector, and ultimately blessed by the Federal Trade Commission.
The White House was upfront in saying that this draft is a starting point, not the end of the conversation. The bill struggles to achieve a number of policy objectives, not all of which are fully formed or necessarily consistent. But these difficult drafting areas raise important questions now ripe for discussion:
- Is there a privacy cost to cybersecurity? The bill provides an exception to the privacy protections for “cybersecurity data” – data used to “indicate, describe, or identify” threats to a system. But finding security vulnerabilities is increasingly a big data exercise of analyzing most, if not the entirety, of a data ecosystem. An exception to privacy protection for cybersecurity may swallow the whole.
- How do we protect values other than privacy? The White House’s 2014 big data report found that big data technologies not only implicate privacy, but other values such as fairness and nondiscrimination. To prevent possible discrimination in people’s access to credit, employment or government benefits, the draft bill requires companies to conduct a disparate impact analysis. This is an important insight on the potential harms of data practices, but we need more discussion of how this would work in practice. At what point in the development of code, algorithms, and products should such a review take place? What results should be deemed harmful?
- Can multistakeholder policy development work? We have learned from previous multistakeholder privacy convenings (for example, the Do-Not-Track working group trying to standardize cookie settings for more than three years), that it is difficult to develop practical, enforceable and adopted codes unless all parties come to the table committed to reach agreement. The bill suggests a structure for incentivizing codes of conduct, but it is unclear whether there is sufficient industry interest, privacy advocate support or government resources to make actually make the process work quickly and effectively.
- What is the cost of privacy protection? The bill would create newly empowered, but apparently unfunded, government bodies and regulatory processes that require substantial buildup (and resources) in the FTC. Enforcement of industry codes of conduct would require an ongoing cycle of approving and reassessing the technologies, market, and regulations. Without a properly staffed review and enforcement office at the FTC, this structure – rather than providing flexibility – might unnecessarily inhibit perfectly legitimate and safe innovation.
Notwithstanding the skepticism from all sides on the White House proposal, here’s why it’s an important step and why we should discuss it: There is no future in which less data is collected and used. To the contrary, new technologies for collecting data and the cratering cost of processing and storing it herald a future of near-ubiquitous surveillance here in the US and on the platforms that we share with the rest of the world.
Nor can we continue to argue for leaving the safekeeping of our data to the discretion of private actors. Individuals, companies and governments want clarity and consistency, and we will require all hands on deck to achieve these goals in the area of privacy. For better or worse, the camel of privacy legislation actually does need a committee to ensure a result that is both sensible and viable.
Nicole Wong previously served as the deputy chief technology officer in the Obama administration, and was a principal author of the 2014 White House report "Big Data: Seizing Opportunities, Preserving Values." She is a founding columnist for Passcode.