A GDPR-ty in the USA?
The advent of the internet, which has transformed historical norms ranging from commerce to social interaction, has raised anew for policymakers across the globe the issue of privacy. The right to privacy, of course, isn’t a new issue – colonial law in the New World both afforded protections against eavesdropping, defined as “listen[ing] under walls or windows, or the eaves of a house, to hearken after discourse, and thereupon to frame slanderous and mischievous tales” and set forth criminal penalties for acting as a “common scold”. (A notable aside: under colonial English law, only women could be charged with this crime.)
Advances in technology since the 18th century, of course, have created policy questions for legislators and regulators around the world. One need only look at the reaction to the Facebook/Cambridge Analytica data breach – and the score of data breaches at financial firms and retailers in the years immediately preceding it – to conclude that data privacy is an area of intense focus for policymakers.
European authorities are leading the way. Late last month, following a two-year window to allow for implementation and compliance, the European Union’s General Data Protection Regulation (GDPR), took effect. GDPR, which aims to give European consumers significantly more control over how their personal data is used and shared, is a far-reaching data privacy and protection regime that applies to the collection and use of consumer data across virtually every industry and use case and prescribes onerous penalties on firms that misuse or mishandle consumer data. Though there were some early hiccups – a number of websites, including the Chicago Tribune and the LA Times initially blocked access for European readers – there is unquestionably growing interest globally in GDPR-like regimes.
So how are how are U.S. policymakers and consumers contemplating data privacy today and how likely are we to implement an American version of GDPR? The answer is slowly but surely.
GDPR is not yet a household acronym in the states, but Americans are on full alert when it comes to data sharing and privacy. According to a mid-May Morning Consult poll, 79 percent of American adults do not want companies to share data with other entities in order to advertise to them online. Others surveys show it’s not only social media that consumers are worried about. Public Policy Polling found 79 percent of Americans are concerned about the security data collected by driverless cars.
And though one might expect that these numbers are heavily influenced by the recent Facebook/Cambridge Analytica scandal, consumers’ views about data privacy and sharing have been always been strong. A Money poll taken 11 years ago, when Facebook only had 20 million active users worldwide (compared to 2.2 billion today), showed nearly nine in 10 Americans wanted a privacy bill of rights. The Electronic Privacy Information Center provides a remarkably comprehensive overview of public polling on this matter since the early 1990s. Their findings include:
93 percent of respondents believed in 1991 that companies should gain permission before selling personal information.
72 percent agreed in 1997 there should be new laws to protect privacy on the Internet.
57 percent of Americans wanted laws in 2000 to regulate how information was collected and used and 92 percent were uncomfortable if a website they visited shared user information with other organizations.
Two-thirds of Americans wanted Congress federal legislation to protect online privacy in 2001.
94 percent of Americans in 2003 agreed with the statement, “I should have a legal right to know everything that a web site knows about me.”
At a time when Americans are divided on nearly every issue, policymakers are taking notice of the near unanimity on data privacy from voters across the political spectrum. Earlier this year, U.S. House Minority Leader Nancy Pelosi (D-Calif.), who, depending on the outcome of the mid-term elections could very well return to her former role as Speaker of the House, asked fellow Californian Rep. Ro Khanna to draft an “Internet Bill of Rights.” The congressman, who hails from Silicon Valley, recently told Recode, “The answer can’t be, on a scale of one to 10, Europe’s regulations [are] a nine, we’re a zero.” Recognizing that a full-blown implementation of GDPR in the United States may be a shock to the system, Khanna wants the United States to, at least initially, improve to “a four or a five.”
These efforts have bipartisan legs. After it was revealed this month that Facebook shared U.S. users’ data with a Chinese cell phone manufacturer, the Republican chairman of the powerful House Energy and Commerce Committee demanded, “full transparency from Facebook and the entire tech community.” Conservative Senator Chuck Grassley (R-Iowa), a proponent of free markets, has called several hearings in the United States Senate to explore the policy considerations surrounding privacy in the internet age and has opined, “[l]eft largely untethered by government regulation, the pioneering men and women of the digital frontier face serious questions about their approach to privacy.”
While Washington begins what is sure to be a long process of implementing a modernized privacy regime, several states are plotting their own path. Legislators in California, Illinois, Louisiana, Michigan, New York, Oregon, South Dakota, and Vermont are considering bills that would stand up or expand modern data privacy regimes for the digital age.
In 2013, Bill Gates famously explained, “Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules—not just for governments but for private companies.”
Americans have wanted privacy rules for years. In the wake of GDPR, they might get their wish, even if it takes some time.