{"id":15749,"date":"2019-07-10T08:10:07","date_gmt":"2019-07-10T16:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/10\/news-9496\/"},"modified":"2019-07-10T08:10:07","modified_gmt":"2019-07-10T16:10:07","slug":"news-9496","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/10\/news-9496\/","title":{"rendered":"What should a US federal data privacy law ideally include?"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 10 Jul 2019 15:00:00 +0000<\/strong><\/p>\n

In the constant David-and-Goliath struggle<\/a> between digital privacy advocates and corporate privacy invaders, the question of how to legally protect Americans with a comprehensive, federal data privacy law provides conflicting answers. Advocates want protections, which Big Tech interprets as restrictions. <\/p>\n

As of today, there is no one digital privacy law to rule them all. While a few state laws<\/a> exist that protect consumer privacy here in the US<\/a>, overarching federal legislation, such as the Global Data Privacy Regulation (GDPR) in Europe<\/a>, has not yet penetrated the market. <\/p>\n

US-based corporations must comply with GDPR if they have a global presence, but that’s only for their European customers\u2014and many have found convenient workarounds. Who will protect the American user? Smaller tech? Privacy-forward tech? What about we-don\u2019t-have-a-lobbying-war-chest tech? How do they feel about a federal privacy law?<\/p>\n

For months, Malwarebytes Labs has reported on data privacy laws in the United States<\/a> and abroad<\/a>. But the question of federal legislation that applies to the entire country has gone unanswered, as multiple Senate proposals have yet to move forward. <\/p>\n

Further, despite Big Tech\u2019s recently-avowed commitment to regulation<\/a>, those same companies are reportedly funding efforts to dismantle newly-enacted stateside data privacy protections<\/a>. <\/p>\n

But earlier this year, a group of tech companies stood opposed. They wanted to strengthen one of those same privacy protections. This tech group included some of the most recognizable company names in user privacy: DuckDuckGo, Ghostery, ProtonMail, Lavabit, Brave, Vivaldi, Purism, and Disconnect. <\/p>\n

We asked those companies to broaden their sights beyond state legislation. What did they want, if anything, from a federal data privacy law for the United States?<\/p>\n

What’s the goal?<\/h3>\n

For many of these privacy-forward companies, a federal data privacy law would be far from restrictive. Instead, it is considered necessary.<\/p>\n

Todd Weaver is the founder and chief executive of Purism<\/a>. He supports a federal data privacy law, so long as it isn\u2019t stripped of meaningful user protections and doesn’t create barriers to success for startups and mid-sized companies. Federal legislation could be, Weaver said, the one way to finally defend the public from an ongoing digital privacy crisis. <\/p>\n

\u201cWe\u2019re talking about the exploitation of people in the digital world, and this is a giant problem,\u201d Weaver said. He continued:<\/p>\n

\n

\u201cThe problem can be boiled down to things that nobody should ever know. Those are where people are, what people do, and who talks to whom.\u201d <\/p>\n<\/blockquote>\n

In the US, those pieces of information are far from protected, though. Where we are, what we do, and who we talk to fuels a massive corporate surveillance machine driven by social media behemoths, aggressive online tracking, and unseen data brokers, all motivated by continuously-climbing advertising revenue. No current law forbids much of this. <\/p>\n

So how do we fix it? Here are a few ideas from privacy advocates.<\/p>\n

Like the CCPA…but better <\/h3>\n

Last year, California\u2019s then-governor Jerry Brown signed the California Consumer Privacy Act (CCPA)<\/a>. Effective January 1, 2020, the CCPA grants Californians the rights to know what data is collected on them, whether that data is sold, the option to opt out of those sales, and the right to access that data. <\/p>\n

In April, privacy search engine DuckDuckGo, joined by 23 other technology companies<\/a>, sent a letter to the California Assembly\u2019s Privacy Committee asking that the law be bolstered. The requested improvements, DuckDuckGo wrote, would include the right to opt out of having information shared\u2014not just sold\u2014and the right to sue companies that violated any privacy provision of the CCPA. <\/p>\n

Helen Horstmann-Allen, chief operating officer at email provider Fastmail (which signed onto DuckDuckGo\u2019s letter) said she would appreciate seeing legislation similar to CCPA go national.<\/p>\n

“We were pleased to see California take the lead with their privacy laws to reflect how companies do business today. Expanding the scope of privacy legislation recognizes that companies don\u2019t need to sell data to violate consumer privacy,\u201d Horstmann-Allen said. \u201cWe\u2019d love to see this type of legislation move on the national level as well. Privacy rights shouldn\u2019t end at the state line.”<\/p>\n

Jeremy Tillman, director of product at the ad-blocking browser extension Ghostery, made similar comments in a 2018 opinion piece for The Hill<\/a>: <\/p>\n

\u201cIf there is serious traction for federal consumer privacy legislation, which there absolutely should be, the California Consumer Protection law can serve as a solid template to model future laws after.\u201d<\/p>\n

A consumer’s right to sue for privacy violations<\/h3>\n

California\u2019s privacy law received a major setback this year when a proposed amendment did not pass one of the state\u2019s Senate committees<\/a>. The amendment, SB 561, would have given Californians the right to sue a company that violated any privacy rights<\/a> described in the CCPA. <\/p>\n

Currently, CCPA only gives Californians the right to sue a company for the harm of a data breach. Though a novel inclusion when compared to the dearth of privacy protections across the nation<\/a>, some argue that broader opportunities to go to court are needed.  <\/p>\n

\u201cIf you can\u2019t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?\u201d Weaver said. \u201cWe\u2019ve already seen that with the CCPA in California.\u201d <\/p>\n

At least 40 bills have been introduced in California<\/a> with the near-uniform purpose to amend the CCPA into a weaker version of itself. AB 846, for example, would have limited the CCPA\u2019s discrimination prohibition. AB 873 would have pared down the definition of individuals\u2019 personal information<\/a>. <\/p>\n

More attempts to weaken the CCPA remain, Weaver said. <\/p>\n

\u201cOne of those bills is just about defanging the entire regulation,\u201d Weaver said. \u201cIf you do that, if you defang, [the law] is just paper.\u201d<\/p>\n

Transparent data collection practices <\/h3>\n

Ghostery\u2019s Tillman echoed the above sentiments that any federal data privacy legislation should \u201chold big tech accountable for their deceptive data collection practices,\u201d but he added:<\/p>\n

\u201c[It] should require that any data collection occur as part of a transparent, easy-to-understand transaction where the cost to consumers is clear, enabling them to be knowing and voluntary participants in an ad-supported and data-driven economy.\u201d<\/p>\n

Design for interoperability with GDPR <\/h3>\n

Johnny Ryan, chief policy officer for the privacy-focused web browser Brave, testified earlier this year before the US Senate Judiciary Committee about a potential federal data privacy law. Such a law, Ryan said, should hew closely to the standards of a popular, across-the-pond framework: the European Union\u2019s General Data Protection Regulation (GDPR).<\/p>\n

\u201cWe view the GDPR as essential,\u201d Ryan said in an email to Malwarebytes Labs. \u201cIt can establish the conditions to allow young, innovative companies like ours to flourish.\u201d<\/p>\n

Ryan told the committee that two elements within the GDPR can help both protect Americans\u2019 data and give opportunities for small companies to meaningfully compete with Silicon Valley\u2019s biggest, most entrenched businesses. Those two provisions are the \u201cpurpose limitation\u201d principle\u2014which protects people\u2019s data from being used in ways they could not anticipate\u2014and the ability to easily opt out of a company\u2019s data collection. <\/p>\n

\u201cThese two GDPR tools, the \u2018purpose limitation principle\u2019, plus the ease of withdrawal of consent, enable freedom,\u201d Ryan told the committee. \u201cFreedom for the market of users to softly \u2018break up\u2019\u2014and \u2018un-break up\u2019\u2014big tech companies by deciding what personal data can be used for.\u201d<\/p>\n

Further, Ryan said to Malwarebytes Labs, a US federal data privacy law inspired by GDPR\u2014particularly in defining concepts like personal data, opt-in consent, and profiling\u2014will provide technology companies with a streamlined path toward compliance, since many have already worked toward complying with GDPR. <\/p>\n

\u201cThe standard of protection in a federal privacy law, and the definition of key concepts and tools in it, should therefore be compatible and interoperable with the emerging GDPR de facto standard that is being adopted globally,\u201d Ryan said. <\/p>\n

Do not undermine states\u2019 individual data privacy laws <\/h3>\n

Ever since Americans learned about a European consultancy\u2019s effort to sway the 2016 US Presidential election by harvesting the Facebook data of tens of millions of non-consenting users, individual US states have clamped down hard on data misuse against their residents. <\/p>\n

California passed the CCPA. Vermont passed a law regulating data brokers<\/a>. Maine passed a law<\/a> placing restrictions on how Internet service providers share Mainers\u2019 personal information<\/a>. <\/p>\n

But those state laws could be in trouble if a federal data privacy law calls for their nullification. Such a provision exists in both Senator Marco Rubio\u2019s data privacy bill and in the draft privacy legislation written by Center for Democracy and Technology. <\/p>\n

This superseding provision\u2014called \u201cpre-emption\u201d\u2014is unacceptable to Brave. <\/p>\n

\u201cThe federal law should be of equal or higher standard to state laws, and should not undermine state laws,\u201d Ryan said. <\/p>\n

A \u201cDigital Bill of Rights\u201d <\/h3>\n

When explaining what he would like to see in a federal privacy bill, Weaver repeatedly returned to the idea of a \u201cDigital Bill of Rights.\u201d It is an idea his company has already acted on, having written out and implemented several of the principles. <\/p>\n

Included in the company\u2019s Digital Bill of Rights are: <\/p>\n