While some business leaders have been talking up this topic for years, most notably perhaps Salesforce CEO Marc Benioff, the events of the last twelve months have put privacy rights on top of the tech agenda and with them the question of how business can win back the confidence and trust of citizens around the gathering and handling of personal data. Meanwhile the calls for US Federal level legislation akin to Europe’s General Data Protection Regulation (GDPR) grow louder.
While not on the formal agenda in Davos, Apple CEO Tim Cook was lauded last week for an opinion piece published by Time magazine in which he called for a seismic shift in attitudes to privacy, citing “a shadow economy that’s largely unchecked — out of sight of consumers, regulators and lawmakers”. He wrote:
In 2019, it’s time to stand up for the right to privacy — yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives…Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.
The article is a further iteration of four key principles that Cook has previously talked about, which are:
- The expectation that companies should commit to collecting as little information from customers as possible rather than trying to get a hold of as much as they can.
- The right for individuals to know what data is being gathered and why.
- The ability for individuals to have access to any personal data being held by a company and to amend or delete.
- Mandated levels of data security to ensure that information which is held is in safe hands.
It was the first of these principles that the Apple CEO turned his attention most in this latest statement, particularly the role played in the digital economy of so-called ‘data brokers’ with their insatiable appetite to pursue more and more information and sell it on. This causes significant problems of “actors trafficking in you data behind the scenes”, wrote Cook:
One of the biggest challenges in protecting privacy is that many of the violations are invisible. For example, you might have bought a product from an online retailer—something most of us have done. But what the retailer doesn’t tell you is that it then turned around and sold or transferred information about your purchase to a ‘data broker’—a company that exists purely to collect your information, package it, and sell it to yet another buyer.
To tackle this, Cook wants the US Federal Trade Commission (FTC) to set up a clearing house for such brokers. This would require them to register their business and provide transparency to consumers to track their data and any transactions associated with it. Consumers would also be given the right to delete their data “on demand, freely, easily and online, once and for all”.
It was a sufficiently high profile set of demands that it elicited a formal response from Acxiom, one of the biggest ‘data brokers’, in which it positioned itself as having long championed an ethical data use framework”:
We agree that we must root out the nefarious players in the ecosystem, and Acxiom's data privacy impact assessment (DPIA) process ensures we don't do business with questionable companies.
It added that it was working with US legislators to deliver a Federal level privacy law, but echoed a warning made recently by the Information Technology and Innovation Forum thinktank that there’s a bottom line cost to the economy of privacy:
We believe it would be universally beneficial if we were able to work with Apple and other industry leaders to define the best set of laws that maintain the benefits of data in our economy while giving the necessary protections and rights to all people. What everyone must understand is that the cost of compliance for all businesses in the US will be punitive and detrimental to our economy if everyone must adhere to multiple and independent state laws versus a singular, united set of policies across the US.
Meanwhile in Washington
The pursuit of such a unified national approach is one that is gaining some traction in Washington, with attention to the topic being sharpened by the looming 2020 arrival of California’s Consumer Privacy Act. For those opposed to tougher data protection legislation, if that comes into effect it sets a powerful - and dangerous, if that’s your mindset - precedent. Better by far to get national legislation in place that supersedes such state level law and is softer in tone.
The latest example of that comes from Republican Senator Marco Rubio, who has introduced a bill called the American Data Dissemination (ADD) Act.
Rubio’s proposals call on the FTC to submit privacy requirements to Congress, building on the existing Privacy Act of 1974. Congress would then have two years to come up with concrete legislation or the FTC itself would come up with the rules. Rubio says his plan would support all sizes of players in the digital economy:
There has been a growing consensus that Congress must take action to address consumer data privacy. However, I believe that any efforts to address consumer privacy must also balance the need to protect the innovative capabilities of the digital economy that have enabled new entrants and small businesses to succeed in the marketplace.
That is why I am introducing the American Data Dissemination Act, which will protect small businesses and startups while ensuring that consumers are provided with overdue rights and protections. It is critical that we do not create a regulatory environment that entrenches big tech corporations. Congress must act, but it is even more important that Congress act responsibly to create a transparent, digital environment that maximizes consumer welfare over corporate welfare.
Crucially, ADD would replace all and any state level legislation, which is likely to be a sticking point. Last year, 47 State Attorneys General wrote to Congress calling for any Federal bill on data privacy not to override state laws.
Rubio also fails to outline any form of punitive regime or consequences for companies later found to be in breach of the national rules. One of the major strengths - theoretical as still largely untested - of GDPR is the financial penalties that can be imposed on miscreants. At present, Rubio has no co-sponsor for his plan.
As I’ve said before, the direction of travel on ‘GDPR-US’ is set. The only question is whose voices prevail when it comes to the terms and conditions. While there are some powerful tech sector calls for action and we’ve yet to see a CEO coming out and saying he or she isn’t in favor of reform, it’s perfectly clear that there’s a lot of lobbying going on in Washington circles that doesn’t necessarily map on to the ‘politically correct’ statements of support.
Rubio’s ADD proposals are hopelessly lacking any meat on the bone in their current form. It’s possible that they will be fleshed out in the months to come, but right now they look like a token gesture towards ‘something must be done, here is something, this must be done’.
While it would be good if the carrot of rebuilding trust with the consumer would be enough incentive for change, the reality is that there’s a need for a big stick of financial punishment if any US data privacy legislation is to prove effective. Hit the bottom line! The problem is, that’s so counter to the American Dream and the current MAGA agenda in the Oval Office that the blockages from vested interests that will be put in the way of radical change will be immense. This week in Davos, we’ll hear good words about what needs to be done. Actually getting it done will be a whole different matter.