Source: USA Today
For decades, the domestic conversation regarding privacy focused on the need to protect citizens’ privacy rights from government, often in the context of privacy in the home. Recent data security lapses, however, have begun to dramatically refocus the conversation on the need to protect citizens and their data from abuses by private industry, who in the digital age often know far more about an individual than any past government entity ever did. In recent weeks Google has apologized for failing to disclose the presence of a microphone in its Nest Guard product while the Government Accountability Office issued a report recommending that Congress pursue comprehensive data privacy legislation. We have rightfully recognized that it is time for government to act to protect citizens from corporate misuse of their data, though we in the United States have yet to agree on what that action might be.
In Europe, this conversation led to the creation of the General Data Protection Regulation (GDPR), a sweeping, European Union-wide privacy law that provides citizens with robust privacy protections and includes significant penalties for companies that fail to comply. In the U.S., several stakeholders, including lawmakers, privacy groups, and industry, have offered proposals with varying protections and breadth. While these proposals have been criticized for going too far or not far enough, national-level protections are clearly needed — American citizens deserve the same general protections and remedies enjoyed by their European counterparts.
Every actor in the digital economy generates “digital exhaust,” the information we leave behind as we browse the internet or use a digital device. This information, taken in aggregate, can be incredibly revealing, exposing our movements, interests, and activities — a gold mine for advertisers, but also a serious threat to our privacy and security when unprotected or misused.
To that end, I believe it is vital that Congress act. While not exhaustive, there are a few principles that can help ensure the United States protects its citizens from the loss and misuse of their personal data while incorporating our own unique understanding of constitutionally-protected privacy and free speech.
► First, any proposed solution must be consistent with American democratic values, protecting our unique understanding of the right of free speech. We need to allow news organizations, and citizens, to collect and use data that they collect and record themselves, provided the information was obtained with proper consent. Freedom of the press is vital to American democracy and limiting the ability of the press to do its job as a result of carelessly crafted legislation would be a mistake. This is particularly true for data concerning public figures, who have long been held to a reduced legal right to object to public discussion about themselves given the public’s legitimate interest in their beliefs and activities.
We need varying levels of protection for data
► Second, there should be varying levels of data protection for different categories and uses of data. For example, commercial data collected by a provider for the purpose of improving a service or technology (diagnostic data, crash reports, etc.) would have a reasonable level of protection, with user consent obtained through the terms of service. But should a provider desire to repurpose this data, for example, selling it to a third-party for marketing purposes, the provider should be required to obtain the specific affirmative consent of the user for this use. The collection and use of more sensitive data, such as browsing and purchase history or location data, should also require the explicit, affirmative consent of the user. In all cases the user should be provided with a clear, concise explanation of what data will be collected and how it will be used — not buried on page 56 in the terms of service.
► Third, the decision on whether to share one’s data should be a meaningful choice, not one that is compelled, directly or indirectly. This is particularly important when a provider has a functional monopoly over a type of service. Under those circumstances consent becomes a binary and false choice — either agree to share your data with the provider in order to access the entire category of service or refuse and be unable to access it. This is a situation in which restrictions on the ability of the provider require the surrender of sensitive user data would be appropriate.
Users should be able to review data collected
► Finally, users should have the ability to review the data collected by providers and third-party aggregators to ensure its accuracy. Just as inaccurate credit information can harm a consumer, so can inaccurate user activity and location data. Individuals should have the ability to dispute the information held by providers and aggregators, complete with mechanisms designed to ensure that the issue is resolved quickly and without onerous follow-up requirements. This information should also be properly secured, as several existing laws and regulations dictate, though the applicability of these security requirements should be expanded, and their penalties enhanced.
Over the coming months the discussion of what a Federal data privacy law should look like will continue, driven by growing concern over the misuse of private data by private companies and increasing awareness of the issue in Congress. Thus far, California and Vermont have led the way, passing varying protections similar to those contained in Europe’s GDPR. But there is an urgent need for the Federal government to act, extending similar protections to all Americans.
Michael Chertoff is executive chairman and co-founder of The Chertoff Group, a security and risk management advisory firm, and served as secretary of the Department of Homeland Security (DHS) from 2005-2009. He is the author of “Exploding Data: Reclaiming Our Cybersecurity in the Digital Age.”