Next year, a highly-anticipated privacy and data protection rights battle will occur in Congress. Powerful special interests from Google to Facebook are responding to the new European General Data Privacy Regulation (GDPR) by hiring a massive phalanx of lobbyists and PR flacks seeking to quash any similar effort to protect U.S. consumers while simultaneously seeking to preempt a new California privacy law before it even takes effect in 2020. Will we continue as data collector products, not their customers, or will we gain control over our own financial DNA? The state PIRGs are in this one; guess which side we're on. Today, we joined 34 leading groups in issuing shared Privacy Principles
. From the group news release
"Irresponsible data practices lead to a broad range of harms, including discrimination in employment, housing, healthcare, and advertising. They also lead to data breaches and loss of individuals’ control over personal information. Existing enforcement mechanisms fail to hold data processors accountable and provide little-to-no relief for privacy violations. The privacy principles outline four concepts that any meaningful data protection legislation should incorporate at a minimum:
- Privacy protections must be strong, meaningful, and comprehensive.
- Data practices must protect civil rights, prevent unlawful discrimination, and advance equal opportunity.
- Governments at all levels should play a role in protecting and enforcing privacy rights.
- Legislation should provide redress for privacy violations."
For years, we've been fighting bank and financial firm efforts to pass federal legislation that preempts stronger state laws on data breach notification and data security and replaces them with a weak federal standard. We call those the Trojan Horse proposals because a tiny new federal right sits on top of the horse but sweeping preemption of stronger state laws lurks inside the belly of the beast. We also call them the Equifax Protection Act because the bills would protect Equifax from accountability for its massive breach. Incredibly, while Congress has had numerous chances, it has so far failed to hold Equifax accountable.
But now the big social media platforms and telephone ISPs have joined the fray. They seek to prevent Congress from enacting a more comprehensive privacy law similar to the European GDPR -- affecting not simply what happens if you lose data because you didn't secure it, but what you can do and when with all the data you've collected. Can you share it? Can you use it to profile consumers? Can you track consumers? Can you do any of this and more without meaningful consent?
In the U.S., we have a narrow law that protects the accuracy and use of our data when shared or sold by credit bureaus for credit or employment decisions but when similar data are sold by the broader universe of data brokers for any other reason, no real protections apply. A few other narrow laws protect some of our health information (some of the time) and even the names of videos we've rented or streamed. But no comprehensive U.S. law establishes a true umbrella privacy framework giving all data collectors responsibilities and all data subjects (consumers) rights, as GDPR does.
As a kicker, just like the banks, the big social media platforms, the big data brokers and the numerous other smaller players that form the big Internet data surveillance, collection and tracking ecosystem seek to preempt any stronger state privacy protection protections or state Attorney General enforcement authority over them. They seek to prevent California's 2018 Consumer Privacy Act from even taking effect in 2020 and, of course, to permanently deny other states their rightful roles as innovative, "laboratories of democracy."
For more information on what GDPR does and why we need for a GDPR-type privacy law in the United States, see this Sunday night's 60 Minutes show "GDPR: The Law That Lets Europeans Take Back Their Data From Big Tech Companies." It features our colleague Jeff Chester of the Center for Digital Democracy.
At all levels, we've been active in the privacy fight this year:
- This week, in response to a Request for Comment (RFC) titled "New Approaches to Consumer Data Privacy" of the Department of Commerce's National Telecommunications and Information Administration (NTIA), we filed comments.
- In April, we also joined EPIC and other leading groups in a petition calling for an FTC investigation of whether Facebook's facial recognition programs and other practices violate its 2011 enforcement order with the commission. Today, the New York Times reported on Facebook's response to Congressional questions on and violations of that 2011 order. Illinois PIRG has been a leading supporter of that state's Biometric Privacy Law. After all, as Illinois PIRG director Abe Scarr notes: "Biometric information is uniquely sensitive. You can cancel your credit card but you cannot cancel your face."
- We've supported children's privacy and strong enforcement of the Children's Online Privacy Protection Act (COPPA) by joining an April complaint against Google Youtube. In October, we joined Campaign for a Commercial-Free Childhood, Center for Digital Democracy and leading groups in a Georgetown University Law Center Institute for Public Representation filing to the FTC regarding how in-app marketing to children may violate COPPA.
- And, of course, we continue our now 30-year fight to bring Equifax and the other credit bureaus to heel. As gatekeepers to financial and employment opportunity, they must be held to the highest standard.
Expect industry to claim that there are no harms in what they do (but, see lower right box). And expect them to offer us the sop that they will promise to give us notice of what they do with our financial DNA, (but not control). In fact, industry's goal, nothing less, is to normalize all their current business practices without offering us much more than notice. Notice is not a right. We are not a product for sale. Stay tuned.