{"id":14957,"date":"2019-03-28T08:10:02","date_gmt":"2019-03-28T16:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/28\/news-8706\/"},"modified":"2019-03-28T08:10:02","modified_gmt":"2019-03-28T16:10:02","slug":"news-8706","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/03\/28\/news-8706\/","title":{"rendered":"US Congress proposes comprehensive federal data privacy legislation\u2014finally"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Thu, 28 Mar 2019 15:00:00 +0000<\/strong><\/p>\n

The United States might be the only country of its size\u2014both in economy and population\u2014to lack a comprehensive data privacy law protecting its citizens\u2019 online lives.<\/p>\n

That could change this year.<\/p>\n

Never-ending cybersecurity breaches, recently-enacted international privacy laws, public outrage, and crisis after crisis from the world\u2019s largest social media company have pushed US Senators and Representatives into rarely-charted territory: regulation.<\/p>\n

Before Congressmembers\u2019 desks are at least four federal bills that would change how companies handle and protect Americans\u2019 private data. The bills seek better user privacy through increased transparency, oversight, fines, and liability, and, in the case of one bill, the possibility of jail time for dishonest tech executives.<\/p>\n

Several US states are also considering comprehensive data privacy bills, taking inspiration from California, which passed its own law last year. If those state laws pass, a new wrinkle will be added to the broader country-wide debate: Should state privacy protections be respected or should one federal law supersede those rules?<\/p>\n

This month, Malwarebytes Labs launched its limited blog series about data privacy and cybersecurity laws<\/a>. In this second blog in the series, we explore five federal data privacy bills.<\/p>\n

How we got here<\/h3>\n

For decades, Congress regulated data privacy based on single, sector-specific issues. Rather than writing laws to protect all types of data, they instead wrote laws to combat individual crises.<\/p>\n

In the late 80s, that crisis was a Supreme Court nominee\u2019s video rental history being leaked to the press, resulting in the Video Privacy Protection Act. In the late 90s, that crisis was the potential targeting of children online, resulting in the Children\u2019s Online Privacy Protection Act. In the mid-2000s, the kidnapping and murder of a Kansas teenager prompted lawmakers to discuss lowering protections on GPS data held by cell phone providers. (The proposed bill failed passage multiple times.)<\/p>\n

This reactive approach is just how Congress works, said Michelle Richardson, director of the data and privacy project at Center for Democracy and Technology (CDT).<\/p>\n

\u201cThis country has generally allowed companies to do their thing until something goes quite wrong,\u201d Richardson said. \u201cIt has to get worse before the US and its decision-makers and its cowboy personality feel ready to intervene.\u201d<\/p>\n

Today, Congress is again ready to intervene. The crisis at hand is two-fold.<\/p>\n

First, data breaches of Yahoo, Uber, Equifax, Marriot, Target, the Sony PlayStation Network, Facebook, Anthem, JPMorgan Chase, and many more have resulted in Americans\u2019 personally identifiable information being stolen or accessed by cybercriminals. This PII includes names, Social Security numbers, credit card numbers, passport numbers, dates of birth, account passwords, physical and email addresses, and even employment histories.<\/p>\n

Second, even when a company hasn\u2019t suffered a breach, Americans\u2019 personal data has been misused or left astray. The FBI searched private company DNA databases<\/a>. A period-tracking app shared its users\u2019 pregnancy decisions<\/a> and menstrual tracking information with Facebook. And political beliefs were reaped in an effort to sway a US presidential election<\/a>.<\/p>\n

Congress has concluded that user privacy can no longer be solely entrusted to America\u2019s technology companies.<\/p>\n

\u201cThe digital space can\u2019t keep operating like the Wild West at the expense of our privacy,\u201d said Amy Klobuchar, Democratic Senator of Minnesota and presidential candidate.<\/p>\n

Data privacy legislation has huge support outside of Capitol Hill, too\u2014from the public. Richardson said that, thanks to the work of researchers, journalists, and civil liberties advocates, the public better understands how their data moves from company to company.<\/p>\n

\u201cWe don\u2019t give nearly enough credit to civil media [outlets] and civil society [groups] for the research they\u2019ve done into data practices and for giving people cold, hard facts about how their data is collected,\u201d Richardson said.<\/p>\n

That research has exposed not just personal data misuse, but also corporate irresponsibility.<\/p>\n

Last year, Reuters showed that Facebook failed to fulfill its promise<\/a> to control the wildfire-like spread of hate speech on its platform in Myanmar. The Intercept exposed Google\u2019s plans<\/a> to build a censored version of its online search tool in China, resulting in several employee departures<\/a> and renewed questions<\/a> about Google\u2019s removal of its \u201cDon\u2019t Be Evil\u201d tagline. ACLU showcased the failures in Amazon\u2019s facial recognition software, revealing that the technology falsely matched 28 members of Congress with mugshots of arrestees<\/a>.<\/p>\n

Some US states have already responded.<\/p>\n

Last year, Vermont passed a law regulating data brokers<\/a>, and California passed its California Consumer Privacy Act. The law gives Californians the right to know which data is collected on them, whether that data is sold, the option to opt out of those sales, and the right to access that data. The law will take effect at the start of 2020.<\/p>\n

In the meantime, other states are aiming to follow suit. Washington<\/a>, Utah<\/a>, and New York<\/a> legislatures are all considering new laws that could give their residents better access and control to the information that companies collect on them.<\/p>\n

International data privacy law is even further ahead.<\/p>\n

Last year, the European Union successfully completed its effort<\/a> to pull together the data privacy laws of its 28 member-states into one cohesive package. The General Data Protection Regulation came into effect on May 25, 2018, and since then, it has produced lawsuits against Facebook and a record fine out of France against Google.<\/p>\n

At home and abroad, regulation is in the air.<\/p>\n

The proposals<\/h3>\n

Since last April, multiple US Senators have tried to take on the mantle of the public\u2019s chief data privacy protector. Some tried to show their commitment to data privacy by asking Facebook CEO Mark Zuckerberg pointed questions during his Congressional testimony regarding the Cambridge Analytica scandal. One Senator\u2014and presidential candidate\u2014made a direct public appeal<\/a> to break up Amazon, Google, and Facebook.<\/p>\n

But in putting actual ideas onto paper, four Senators have emerged as frontrunners in America\u2019s data privacy debate. Senators Klobuchar, Ron Wyden of Oregon, Marco Rubio of Florida, and Brian Schatz of Hawaii have directly sponsored individual, separate bills to protect Americans from opaque and unfair data collection.<\/p>\n

Google, Facebook, Amazon, Apple, Microsoft, Yahoo, Uber, Netflix, and countless others could be affected by these proposals.<\/p>\n

The bills ask for essentially the same thing: tighter controls on user data. Consequences often include higher fines from the Federal Trade Commission (FTC), which currently serves as the country\u2019s primary data misuse regulator.<\/p>\n

Sen. Klobuchar\u2019s bill<\/a>\u2014the first of the four to be formally introduced<\/a> in April 2018\u2014would require certain companies to write their terms of service agreements in \u201clanguage that is clear, concise, and well-organized.\u201d It would also require companies to give users the right to access data collected on them (similar to California\u2019s state bill and to GDPR), along with notifying users about a data breach within 72 hours.<\/p>\n

Sen. Rubio\u2019s bill\u2014the American Data Dissemination Act<\/a> (ADD)\u2014would require the FTC to write its own privacy recommendations for Congress to later approve. The ADD asks that the FTC\u2019s \u00a0rules closely align with the Privacy Act of 1974, which restricts how federal agencies collect, store, and share Americans\u2019 personal information. If passed, the FTC would have up to 27 months to get its own recommendations approved.<\/p>\n

The ADD would also \u201cpreempt\u201d\u2014meaning, it would nullify\u2014current and upcoming state data privacy laws. If passed, companies would only need to comply with the FTC\u2019s federal rules that Congress would later approve. California and Vermont would wave goodbye to their newly-passed laws, and Utah, Washington, and New York would likely shut down their own efforts.<\/p>\n

But preemption could be a deal-breaker for free speech advocates<\/a>, digital rights groups<\/a>, and government representatives.<\/p>\n

“Under the Rubio bill, Americans would not have their privacy protected,” said Center for Digital Democracy Executive Director Jeff Chester, in speaking to Bloomberg<\/a>. “State preemption is a non-starter as far as the consumer and privacy groups community and their allies in Congress are concerned.”<\/p>\n

In California, the state\u2019s attorney general also pushed back.<\/p>\n

\u201cFor those of you following debate over data #privacy, note: We oppose any attempt to pre-empt #California’s privacy laws…\u201d wrote Sarah Lovenheim<\/a>, communications advisor to California Attorney General Xavier Becerra.<\/p>\n

The opposition to Sen. Rubio\u2019s bill is compounded by its slow timeline, making it impossible for lawmakers to know what specific rules they could be asked to approve in two years\u2019 time.<\/p>\n

The ADD demands Congress make an unknown, gameshow-style choice: Keep the data privacy protections you have, or choose what\u2019s behind Door Number Two?<\/p>\n

Sen. Wyden\u2019s bill\u2014the Consumer Data Protection Act<\/a>\u2014sets itself apart as the only bill that includes jail time consequences.<\/p>\n

Sen. Wyden\u2019s bill would require data-collecting companies to deliver annual reports that detail their internal privacy-protecting efforts. Those reports would need to be signed and confirmed by a high-level company executive, like a CEO or CTO. But if those executives confirm a false report, they could face jail time, the bill proposes.<\/p>\n

The Consumer Data Protection Act would also require the FTC to set up a \u201cDo Not Track\u201d website where Americans could register to opt out of online tracking and third-party data sharing. Companies that fail to comply with consumers\u2019 wishes would face fines.<\/p>\n

This \u201cDo Not Track\u201d proposal is far from perfect. If a company\u2019s requirement to get user consent clashes with that user\u2019s Do Not Track preferences, the bill proposes a harmful compromise: Put the services behind a price tag. Paying for privacy is wrong, and, even if the bill passes, companies should refuse to engage in such a dangerous practice<\/a>.<\/p>\n

Finally, there is Sen. Schatz\u2019s Data Care Act, which relies on a novel interpretation of corporate responsibility. The bill equates the responsibility that doctors have to their patients\u2019 information as the same responsibility that technology companies should have to user data.<\/p>\n

\u201cJust as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same,\u201d Sen. Schatz said in a press release<\/a>.<\/p>\n

The bill creates rules under five broad umbrellas\u2014the \u201cduty to care,\u201d the \u201cduty of loyalty,\u201d the \u201cduty of confidentiality,\u201d federal and state enforcement, and rulemaking authority by the FTC to enforce the bill.<\/p>\n

Fifteen Senators from both parties have signed on as co-sponsors<\/a>, including Sen. Klobuchar. (Sens. Rubio and Wyden have not.) Several civil rights organizations, including Free Press, EFF, and CDT, have voiced support.<\/p>\n

\u201cWe commend Senator Schatz for tackling the difficult task of drafting privacy legislation that focuses on routine data processing practices instead of consumer data self-management,\u201d said CDT\u2019s Richardson in a press release.<\/p>\n

Here, Richardson is talking about something that she and the policy team at CDT find particularly important: consent. Many of today\u2019s data privacy bills lean heavily on the idea that clearer terms of service and more notifications and more annual reports will somehow empower consumers to make the right choices for themselves when consenting to use online platforms.<\/p>\n

But that\u2019s unfair, Richardson said.<\/p>\n

\u201c[CDT\u2019s] biggest concern is that a lot of these proposals are a notice-and-consent model. They look at these agreements we sign and say, \u2018Maybe make them clearer,\u2019 for example,\u201d Richardson said. \u201cThat\u2019s doubling down on our existing system, where it\u2019s up to individuals to micromanage their relationships with hundreds, if not thousands of companies that touch their data every day.\u201d<\/p>\n

So, CDT\u2014which routinely discusses already-authored legislation with Congressmembers\u2014took a different approach. The organization wrote its own bill<\/a>.<\/p>\n

The bill\u2019s rules are not built on consent. Instead, CDT\u2019s bill focuses, Richardson said, on \u201cwhat are the things you can\u2019t sign away? What are your digital civil rights?\u201d<\/p>\n

CDT\u2019s bill would give US persons\u2014including residents\u2014the rights to access, correct, and delete data that is collected on them, along with the right to take their personal data and move it somewhere else (which is similar to a right granted in the European Union\u2019s GDPR<\/a>). The bill would also require the FTC to investigate and write rules barring discriminatory practices in online advertising.<\/p>\n

Companies affected by CDT\u2019s bill would be given 30 days to put into place mechanisms for users to exercise their above rights. Also, if those companies license or sell personal information to third parties, they would need to assure that their third-party partners are practicing the same privacy commitments as the companies themselves.<\/p>\n

Similar to Sen. Rubio\u2019s bill, CDT\u2019s bill would pre-empt state laws, but only those that focus on data privacy. Laws that deal with, say, consumer protection or data breaches, would remain intact.<\/p>\n

As to which federal bill will prevail\u2014it\u2019s a bit of a tossup. Passing a bill into law is never as easy as getting the best idea forward. Big Tech is sure to lobby against any bill that would cut into its business model, and civil liberties groups could, depending on the legislation, disagree with one another about the best path forward.<\/p>\n

Until then, CDT thinks it is taking the right approach, removing the burden from users and instead protecting what their rights should look like in the future.<\/p>\n

Richardson put it plainly: \u201cThis is a moment about having corporations treat us better.\u201d<\/p>\n

In our next blog in the series, we will look at data privacy compliance for businesses seeking to expand outside the US market.<\/p>\n

The post US Congress proposes comprehensive federal data privacy legislation\u2014finally<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Thu, 28 Mar 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
The United States might be the only country of its size to lack a comprehensive data privacy law protecting its citizens\u2019 online lives. That could change this year.<\/p>\n

Categories: <\/p>\n