What if more privacy was the law?
The European Union has already made it so with its General Data Protection Regulation, whichto request information on who has their data, as well as the right to ask for copies or have it deleted. Until recently, however, the law appeared likely to have only limited benefits for people outside of Europe.
One possible benefit to people in the US is that companies might decide to extend the law’s privacy protections to users worldwide. The rules also require companies to notify users of data breaches quickly, meaning reports of Europeans being affected by a hack could be a precursor for similar news around the world.
Now, the law’s reach in the US could be much bigger. Privacy experts say it’s becoming more likely that lawmakers will enact regulations in the US that borrow from the EU law, commonly called the GDPR. If they do, a new law would mark a sea change in the way the federal government approaches privacy regulations.
The change in attitude is thanks to the widening data scandal at Facebook, which involves political consultancyof information of as many 87 million of the social network’s users. The new willingness to consider regulation was on display on Tuesday and Wednesday, when members of Congress repeatedly asked Facebook CEO Mark Zuckerberg how he felt about the prospect of his company being regulated.
“I think if it’s a right regulation, then yes,” he told one senators on Tuesday.
Taking regulation to the next level
Lawmakers have introduced many privacy-oriented bills before. But they’ve all been narrowly focused.
After the Equifax hack in September, which compromised the personal information of, lawmakers over the data that credit reporting agencies can collect on them, require businesses to inform consumers of data breaches . In the same year, Rep. Marsha Blackburn, a Republican from Tennessee, introduced the Browser Act, which would require web-based services to let users opt in or out of having their data collected.
Privacy in the US is already regulated to some extent by the Federal Trade Commission and the Federal Communications Commission.
The agencies’ regulations don’t have the teeth of GDPR, which levies steep fines against companies for violating the rules. Those penalties can go up to 20 million euros or 4 percent of a company’s annual revenue — whichever is higher.
Zuckerberg on privacy regulation
Zuckerberg’s questioning in two separate congressional hearings marked the most high-profile public discussion of enacting broader privacy regulations we’ve seen yet.
On Tuesday, Sen. Lindsey Graham, a Republican from South Carolina, asked Zuckerberg if he thinks the Europeans got it right.
“I think that they get things right,” Zuckerberg said, triggering laughter.
On Wednesday, Rep. Scott Peters, a Democrat from California, asked Zuckerberg what specific parts of the GDPR he thinks are a good idea.
“In general, it is going to be a very positive step for the internet,” Zuckerberg said. He said many of the rights given to users by the law to control data were already available on Facebook.
In response to the idea of requiring businesses to make those controls more obvious and get affirmative consent for data collection, as the regulation requires, Zuckerberg said, “I think it makes sense to do more.” Facebook hasto let you delete information from the social network permanently.
As for what the regulation gets wrong, Zuckerberg said, “I need to think about that more.”
Bringing GDPR stateside
Despite the hours of questioning Zuckerberg underwent, privacy advocates said lawmakers weren’t firm enough on the question of regulation.
“We shouldn’t be begging for Facebook’s endorsement of laws, or for Mark Zuckerberg’s promises of self-regulation,” said Zephyr Teachout, an activist and professor at Fordham University School of Law, in an opinion piece in the Guardian.
While it could be a long shot, the tech sector might come to support specific laws in the future, said Lorrie Cranor, former chief technologist at the FTC under the administration of President Barack Obama.
“They may say, ‘There are parts of GDPR that we might as well have in the US because we’re complying with them anyway,'” Cranor said. That wouldn’t be out of the goodness of their hearts though.
Businesses may prefer to have one standard they have to comply with rather than spending resources on following different regulations in different countries. What’s more, there could be a financial incentive for big companies to make some of the GDPR the law in the US. “It will be much easier for large companies to deal with compliance, so it will give them an advantage over smaller companies,” Cranor said.
Industry group opposition
Currently, industry groups aren’t in favor of passing a law mirroring the GDPR. “Its light-touch approach to internet regulation has made the US digital economy the envy of the world,” the Information Technology & Innovation Foundation said in a statement Tuesday. “Taking steps toward European-style privacy regulation would offer only marginal value to users, but it would significantly erode US competitiveness and Internet innovation.”
Cranor said she thinks that sentiment will keep any regulation that passes limited.
“I’m not saying that all of GDPR has any chance of passing in the US, but there may some pieces that have a chance if industry gets behind it.”
Cambridge Analytica: Everything you need to know about Facebook’s data mining scandal.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.