The Goldilocks dilemma - the porridge challenge for US legislators in pursuit of 'GDPR-US'

Lack of unified data privacy laws has enabled the US tech sector to rise above the likes of the European Union, whose data protection policies have led to innovation having “fallen by the wayside” - and that’s a mistake that current calls for US privacy reform risk making.

That’s the uncomfortable conclusion to be found in a new report from the US non-profit thinktank, the Information Technology and Innovation Forum (ITIF) which goes on to warn that while there’s a push towards a Federal level reform of data protection laws, the US authorities need to be careful that any such move doesn’t hurt the nation’s digital economy commercial interests.

The report goes so far as to suggest that rather than prioritize consumer privacy protections, as has been the case in the EU, any US legislation needs to take a more ‘bottom line’ focus. Daniel Castro, Vice President, ITIF, & co-author of the report says:

Rather than trying to maximize consumer privacy, data privacy legislation should focus on maximizing consumer welfare, which also includes lower prices, consumer freedoms such as choice and expression, and the innovation that leads to new products and services. Europe is a case study in how to create a data protection law that harms the digital economy and create needless red tape. The United States has an opportunity to do it much better.

Castro’s co-author and ITIF Senior Policy Analyst Alan McQuinn adds:

Privacy regulations aren’t free—they create costs for consumers and businesses, and if done badly, they could undermine the thriving US digital economy. To avoid throwing a wrench into the digital economy and imposing expensive compliance burdens on businesses across all sectors, any data privacy regulations should create rules that facilitate data collection, use, and sharing while also empowering consumers to make informed choices about their data privacy,

In its summary, the report criticises the impact of Europe’s General Data Protection Regulation as an example of how supposed damage to business interests can occur:

It is relatively easy to pass legislation to maximize consumer privacy. Indeed, the Europe Union did just that when it created the General Data Protection Regulation (GDPR)—a set of strict data protection rules for EU member states—which went into effect in May 2018. But this regulation came at a steep price: high compliance costs that were passed on to consumers; reduced choice in the digital economy as some firms choose not to provide services; and limited innovation as it becomes much more difficult for organizations, including nonprofits, to use data to innovate and improve services.

The report comes down heavily against GDPR and its “deleterious effects” with ITIF citing studies of US firms with over 500 employees that were landed with compliance costs of up to $10 million. This also ended up hurting Europe, it argues:

These effects played out after GDPR went into effect—hundreds of websites stopped servicing Europe entirely, and demand for online ads in Europe plummeted by between 20 and 40 percent. Indeed, as of December 4, 2018, over 1,129 US news sites were still not available in the European Union due to these rules. Furthermore, GDPR is expected to affect the deployment of emerging technologies. For example, a 2017 Center for Data Innovation report argued that by raising the legal risks of companies developing and using artificial intelligence (AI), GDPR will have a negative impact on the development and use of AI in Europe.

Lesson learned?

Learn the lesson, is the underlying message to the siren voices calling for a GDPR-US avatar:

Europe’s problems with lagging development and adoption of digital technologies have existed for decades, and were caused by many factors, including the lack of a digital single market. But stringent data privacy rules that limit innovation also played a role.48 The United States should learn from Europe’s mistakes and avoid following in its footsteps.

The report cautions US legislators to pause for thought and appreciate the scale of what’s involved in data protection reform:

Policymakers who ignore the complexity of complying with privacy laws or the hidden costs of these regulations risk creating rules that undermine the digital economy by restricting the overall digital ecosystem and the benefits it provides consumers. The goal of data privacy legislation should therefore not be to myopically maximize consumer privacy, but to maximize consumer welfare. In other words, consumer welfare involves privacy, but it also involves lower prices (or free products and services) and the development of new products and services. This approach requires finding the optimal level of regulation for the digital economy, with rules that are neither too weak nor too strong.

So how does ITIF anticipate legislators delivering this ‘Goldilocks’ solution - not too hot, not too cold, but just right - to the growing calls for data protection reform in the US? Well, it won’t be easy, is the immediate answer, but what’s needed apparently is a Grand Bargain. (That’s a reference to the 2011 effort to bridge the gap between Republicans and Democrats during that year’s budget talks. Needless to say, it didn’t work, so the analogy isn’t entirely an optimistic one.)

But ITIF does put some meat on the bones by illustrating 30 components of existing laws and frameworks from around the world and isolates their impact on the digital economy of each region. This in turn leads to ten recommendations for any Federal Government legislation on data protection:

1. Create a single set of data privacy rules for the US, pre-empting and replacing state-level action.
2. Create a common set of federal protections for all types of data.
3. Create data protection rules based on both the type of data and the type of entity collecting the data, distinguishing between sensitive and non-sensitive data.
4. Enable consumers to make more informed decisions via transparency requirements to provide consumers with information on what types of organizations can access personal data and how it is being used.
5. Establish clear consumer rights BUT only include a limited right to rectification for sensitive data collected by critical services and a limited right of access that accounts for costs.
6. Address concrete consumer harms, rather than hypothetical ones, with the Federal Trade Commission (FTC) overseeing and weighing the costs of compliance against benefits.
7. Improve enforcement by giving the FTC “limited” rule-making authority for privacy.
8. Promote international interoperability with no limits on cross-border data flows.
9. Protect innovation by not including a consumer right to deletion or a Right To Be Forgotten and do not place limits on data retention.
10. Minimize compliance costs for US organizations - no private right of action, no privacy-by-design provisions and no specifications as to how information should be protected.

My take

This reads as a report with an agenda that runs against the tide of calls for Federal Government action on data privacy protections for consumers in the US. I find myself rather disappointed - naively perhaps - by the ‘have your cake and eat it’ tone of the report from what is generally regarded as a scrupulously non-partisan organization with a lot of influence and clout among policy-makers. It’s a very different approach to the EU mindset when it comes to data protection rights and responsibilities and one that reminds us again that there’s a massive transatlantic divide here that’s only going to get bigger over time. Consumer rights v commercial interests - there’s a long, long way to go in this debate in the US.