The US has been hesitant to enforce collective data regulation. Europe’s new digital privacy laws may serve as a model for US policymakers looking to protect users of electronic communication services. Europe has been quick and efficient in pioneering regulation in this area – but America lacks a law that unifies the methods for handling data about American users.
The recent decision of the European Union (EU) to fine Google $5 billion for “serious legal behaviour” shows the EU’s determination to regulate the increasing influence of American technology firms providing online communications services. This decision also reminds us that the EU and other regional bodies aim to preserve such European regulatory principles as those expressed by the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018.
Implications of the GDPR
The GDPR is a privacy law that requires users to understand what data about them are collected, making social media firms which want to acquire and share user information obtain the users’ consent before they do so. Transparency is central to this law, obliging firms to tell users what information they are harvesting and why, or face fines of up to €20 million ($25m) or 4% of their global annual sales, whichever is greater. This has made data privacy the bedrock of technological design, thus protecting citizens of the European Union, no matter where the data-collecting firms are based.
Following the GDPR, the UK Information Commissioner’s Office (ICO) fined Facebook £500,000 GBP ($663,000) in early July for two breaches of the 1998 Data Protection Act. The breaches enabled Cambridge Analytica, a political consultancy group involved in Donald Trump’s 2016 presidential campaign, to deploy personal data from 87 million Facebook users. Cyberspace is a battleground for espionage, state coercion, large-scale robbery, and social engineering as byproducts of illegal data harvesting practices. Of these, social engineering is nowadays perhaps the most contentious issue, because the American public after the U.S. 2016 election realized the potential for third parties such as Cambridge Analytica to harvest individuals’ personal information and thus make them vulnerable to persuasion.
The US lags behind
Despite this and other developments, including ongoing anti-trust investigations of Facebook in both Germany and Italy, and the comprehensive data privacy laws for the public and private sectors in approximately 120 countries, the US has yet to take regulatory action against the abuse of personal data.
In failing to address such acquisitions of personal data by third parties on digital platforms, the US government risks breaches of national security. The UK Information Commissioner’s Office defines personal security breaches as the “unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” With this broad definition, it is easy to see the room for error on the part of governments which mistakenly believe that the loss of personal data is limited to unwarranted third-party access to data.
Federal law could play a crucial role by having the means to build consensus on issues related to data protection and user privacy. In the US, t has this unfortunately not yet done so, mostly because the US, according to the Council on Foreign Relations, lacks a single, comprehensive federal law that regulates the collection (and use) of personal data. So far, only a “patchwork” of regulations exists, because the government has chosen to regulate only certain sectors that collect specific information (for instance, on health or finances). The Health Insurance Portability and Accountability Act (HIPAA), for instance, involves only “covered entities and business associates” holding health information. The US healthcare system is covered by similar privacy laws, but they do not apply to sectors outside specific industries, and protect only certain persons, such as children under thirteen years old (through the Children’s Online Privacy Protection Act, COPPA).
So far, even the most prominent federal laws in the US have failed to awaken the support of Congress in creating more comprehensive federal privacy-related laws that would regulate how personal data are collected and used. Examples are the Financial Services Modernization Act of 1999 (determining how financial information is collected and used), The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act of 1986 (regulating the interception of electronic communications and computer interference, respectively).
“Regulation-lite” vs. ePrivacy laws
At best, it seems as if US data protection is still “regulation-lite”, failing to penalize domestic tech firms because of the lack of political will amongst Republicans, who hold the majority in Congress. Additionally, outspoken critics of data regulation in government, such as Wilbur Ross, US Commerce Secretary, have warned that data privacy laws will damage US trade relations. Some tech firms in the US have, understandably, spoken out against the adoption of the GDPR regulation and even stricter privacy laws such as the ePrivacy regulation, which is undergoing review by the EU Commission.
In effect, the ePrivacy regulation would require users of services such as Skype, Whatsapp, and iMessage, to give their explicit permission before their communication service provider is allowed to collect their communication data. The ePrivacy regulation will essentially protect the confidentiality of electronic communications.
The American Chamber of Commerce to the European Union has called the ePrivacy regulation “overly strict,” stating that its “strict consent requirements” would place a “burden on consumers”, though they do not specify how consumers, who are as a rule uninformed about their privacy rights, can be said to be burdened. Similarly, the Developers’ Alliance, a trade group representing Google and Facebook, as well as other tech firms and app developers, has stated that the ePrivacy regulation could cost European businesses more than €500 billion, reducing the global annual turnover of the electronic communications industry.
More comprehensive regulation
In addition to domestic concerns over the effects of tighter data regulation, President Trump’s rebuke to the EU for deciding to fine Google $5 billion has aggravated the US disagreement over the heavy regulation of the tech industry. He tweeted that the EU will not be able to take “advantage” of the US any longer. This development adds tension to US-EU relations, which are already deteriorating over NATO spending and tariffs. However, it is unlikely to derail the EU’s efforts to manage the data procurement practices of large tech firms on issues such as fake news filtration, anti-trust law violations, and user privacy.
The ambivalence of the current US administration over defending liberal values both economically and politically could create space for powers such as China to set global data privacy standards of great impact, enabling it to set the terms for future regulatory frameworks. China, which has long advocated national cyber sovereignty, has promoted an International Strategy of Cooperation on Cyberspace – a wide-ranging strategy document that promotes digital sovereignty as one of four basic principles (in addition to peace, shared governance, and shared benefit). The document does not, however, address the concern that a government which adopted the principles might use national security objectives as an excuse to restrict its population’s access to the internet market.
If the US wants to protect its domestic digital business models better, it should seek more comprehensive regulation over domestic data privacy. This will better protect internet civil liberties, including the need to have users’ consent for data harvesting, while fulfilling the mandate of the US Department of Commerce to “assist and advocate for US business interests abroad” by keeping US tech firms lawfully engaged in foreign markets. Congress could help to find solutions for ongoing data protection issues within the social media services industry, and thus help to establish and maintain higher standards of data privacy.
GDPR framework strategies
The US can secure these regulatory outcomes by adopting strategies that are part of the GDPR framework. Such strategies include regulating the type and amount of personal information that firms can collect, and compelling them to explain their reasons for doing so to the American public. Data must also be collected, and possibly processed, in transparent ways. Firms must tell users the purposes of their data processing.
Additionally, appropriate technical and organisational safeguards must be installed to ensure the security of personal data, its protection against loss, destruction or damage and so on. Moreover, when data are collected, users must have the right to be informed about certain things, including how long data will be retained; which third parties may receive them; and the users’ right to withdraw consent at any time.
Stricter US privacy standards are crucial. The Obama administration proposed the Consumer Privacy Bill of Rights, detailing consumers’ rights to control their personal data, through access to greater online transparency. This twice failed to gain consensus in Congress. Since then, privacy has become increasingly problematic for service providers and the public alike, who are all unclear about compliance with standards of privacy. In 2017, President Trump signed legislation repealing the FCC’s privacy protection for internet users. This has had the effect of repealing a set of Obama-backed regulations that would have made it illegal for internet providers to share, store, or collect certain forms of user data such as Web browsing history, location details, and usage history, without express user consent. This repeal comes amidst President Trump’s claims that the FBI illegally procured a warrant to investigate Carter Page, a former Trump presidential campaign advisor, in a probe into whether he conspired with the Russian government to influence the outcome of the 2016 U.S. election.
The consequences of a lack of data protection
The uneasiness of Republican lawmakers around the probe, for better or worse, reflects a resistance in the current administration to protecting the personal data of ordinary users from third parties. Concerns about President Trump’s understanding of the current landscape of cybersecurity have arisen because of his personal use of an unsecured iPhone to tweet.
Three of America’s largest opponents in cyberspace – Russia, China, and North Korea – all exercise state power with cybercrime. Many Chinese corporations value privacy, although some have a long history of intellectual property violations against the West that have come about through efforts to protect Chinese innovations. However, some believe that an undue focus on privacy laws may hamper the US tech sector, observing the drop in investment from the EU in Artificial Intelligence and robotics, a sector that depends greatly on access to personal data.
Broadly speaking, a lack of protection for users’ personal data could lead to states’ aggressively pursuing national security objectives at the expense of citizens’ civil liberties – although, as a 2016 Pew Survey showed, some Americans are not excessively concerned about this,. Neglecting the role of personal data breaches in cybersecurity will lead to increased vulnerability to cyber threats for the US. In the guidelines laid out in the Cybersecurity Framework from the National Institute of Standards and Technology (NIST) in 2014, protecting personal data is a crucial step towards safeguarding against cybersecurity risk and preparedness among both government and businesses.
The repercussions of ignoring or countermanding stronger privacy standards can negatively impact both the public and private sectors, increasing the risk to their cybersecurity and jeopardizing national security. Change in this arena can come about only with Congressional support. This is not merely an issue of consumer protection, but an opportunity to help shape the global landscape of data compliance regulation and also protect user data and improve cybersecurity preparedness. The pressure for the U.S. to catch up to global data compliance standards is increasingly evident.
