The punitive approach to U.S. data privacy regulation will backfire
Unlike Vegas, what happens in California will not stay in California. Just ask anyone trying to sell automobiles in the United States.
On January 1, 2020, the new California Consumer Protection Act (CCPA) went into effect with consequences felt far beyond the state’s borders. This has lit a fire under Congress, where proposals for data regulation appear aimed more at punishing misconduct and negligence by Big Tech than at creating a data ecosystem that properly balances privacy, security, commerce and innovation.
This is a shame. Designing such far-reaching legislation in the current atmosphere of fear and anger – not to mention during a U.S. election year – is a mistake. The result will be a punitive system that threatens huge fines for perceived violations of a somewhat difficult to interpret regulation, one that frankly doesn’t add much to the EU’s General Data Protection Regulation (GDPR) law that has already forced global digital players to comply.
Worse still, it will stifle innovation without achieving its main goal: bringing greater security and privacy protections to the American public. The legalistic regulatory approach enacted in Sacramento and now contemplated in Washington, too, will simply spawn an ocean of legalistic disclaimers and opt-outs (along with the legal fees required to produce them) and launch a hunt by players small and large for the loopholes that invariably exist when laws are passed to win political points rather than after long, nonpartisan study aimed at finding optimal solutions.
That California would be the beachhead for the regulatory campaign that began with the May 2018 enactment of GDPR in Europe is hardly surprising. Back in 2007, California’s decision to set higher fuel efficiency standards than the rest of the US forced the rest of the world – not just US automakers, but foreign manufacturers, too, eager to sell cars in the United States – to scramble.
The powerful auto and energy lobbies tried to kill the move, but the Golden State’s higher bar was affirmed by EPA in 2009 when it issued an exemption allow the state to exceed federal standards. That the Trump administration recently revoked this exemption matters little. It takes time and a lot of money to change production lines and auto designs, whether the change is meant to raise or lower fuel efficiency. As a result, the effects of California’s higher standards are very likely to outlive the current administration.
This scenario is now playing out on data regulation. GDPR was the first shot: By dint of the EU’s size, its new regulatory approach invariably forced compliance on many firms outside its borders. In simpler times, the EU’s enactment of GDPR would have spurred trans-Atlantic talks to harmonize the legal codes of the world’s two largest economic entities. But these are not simple times when it comes to data.
As readers of this site know by now, GDPR levies fines of up to 4% of annual revenue on companies doing business in Europe who fail to protect the personal data and privacy of EU citizens. This so far has cost companies over $100 million in legal and other fees, according to the European Parliament’s data protection registry, including the rewiring of digital business plans and platforms, the hiring of “Chief Data Officers,” a relatively new post necessitated by the law, and other compliance measures. Google was hit quickly with a $57 million fine in 2018. In September 2019, British Airways took the dubious crown for the largest fine to date at $228 million.
California’s state legislators, once incredibly pliant when it came to technology regulation due to the power of Silicon Valley lobbyists, have since 2016 joined the bandwagon of tech bashers – a vote-winning caravan in a largely Democratic state since the 2016 Facebook-Russia election fiasco. And as with the EU, it’s size matters. California is not only the largest internal market in the US, but if it were a nation, its $2.9 trillion 2018 GDP would make it the fifth largest economy in the world, slotting in right between Germany (No. 4) and the UK (No. 6).
Rumblings back East
The confluence of data paranoia and California’s history as a state that can make national policy will ensure that Congress, a notoriously Luddite institution, will now act. Suddenly, less than a month before the US presidential primary season begins, a rare bipartisan push towards federal data protection legislation has emerged aimed at forestalling a state-by-state patchwork and, for the GOP at least, denying vindication to reviled activist legislators of California.
Was a nonpartisan panel of experts convened? Has Congress examined the many proposals for digital sovereignty or third-party data protocols – including the one developed by my team and me at Microshare? No. They held televised star chamber hearings to eviscerate the CEOs of the major technology firms without demonstrating much knowledge of the complexities involved. Did Facebook deserve its drubbing? Probably. Is the laissez faire approach that dominated the first two decades of the digital revolution in need of guardrails? Absolutely.
Now Congress is moving forward with a sledgehammer where an architect’s fine pencil is more appropriate. In November, Sen. Maria Cantwell, D-WA and the top Democrat on the Senate Commerce, Science and Transportation Committee, introduced a new national privacy bill – Consumer Online Privacy Rights Act, – aimed at providing consumers with digital "Miranda rights" and impose tough penalties on companies that abuse consumer data.
So Republicans, eager to find some compromise that would prevent a patchwork of state laws like the CCPA from being enforced, have made their own proposal. It dials back some of the disclosure requirements of Cantwell’s bill, and also would preempt state data laws, a provision that would deny California the satisfaction of again setting national policy.
Everything in Moderation
I don’t deny the downside risks or the need for standards. I could list the big hacks and point to outrages regarding personal privacy, but you know that story. All new technologies come with downside risk. Wheels, a seminal human invention, not only move things but also crushed us to death now and then. The printing press brought literacy and ideas to medieval civilization but also Mein Kampf and child pornography. Aircraft made the planet smaller but also dropped jellied petroleum on Dresden and atomic weapons on Nagasaki and Hiroshima.
We didn’t ban wheels, printing presses or aircraft. The harnessing, sharing and selling of data will displace workers, prove invasive in some forms, and may well be turning our children into little Zombies. But humans manage risk and adapt to change: that’s what we do. We will survive the challenges of the technology age, too.
For all the downside risks involved in the transfer and collection of data, I believe the upside is greater by far. Data on our health and nutrition will extend our lives; Data has the potential to eliminate traffic accidents. Data will make everything from buildings to ships to hospitals more sustainable and more efficient. Even inequality can be tackled: Data gleaned from mobile payments systems in the far reaches of the developing world shunned by traditional finance – from sub-Saharan Africa to the Andes to Southeast Asia – are enabling small farmers, merchants and village craftsmen to access small loans and insurance based on risk calculations drawn from shared data.
The data debate is complex. There are countless nuances around data: personal, government, industry, sovereignty, and more. Like any other asset that creates value for society, data will always attract the attention of nefarious characters. But just like payments, aircraft and the networking of proprietary intellectual property, the value add exceeds the risks. It is time to communicate clearly the methods and purposes of data collection and distribution so that societies can develop clear ethical and regulatory standards for data management.