In the wake of the Facebook and Google scandals which, in the colorful words of Mother Jones magazine, “have transformed Silicon Valley from America’s startup darlings to the country’s biggest corporate creeps,” US lawmakers are under increasing pressure to write a national privacy law like the European Union’s robust GDPR rules.
There have been a number of bills offered, including one by Sen. Ron Wyden (D-OR), who proposed an inexplicably unpopular bill that would jail executives who mishandle consumer data. Unfortunately, none of the proposals offered so far have attracted much support.
Hawaii senator Brian Schatz, the top Democrat on the Senate Communications, Technology, Innovation, and the Internet Sub-Committee is hoping The Data Care Act, which he introduced before Christmas with 14 other Democratic senators, will be the catalyst that leads to a comprehensive and bipartisan set of data protections that require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data. Said Senator Schatz:
Doctors, lawyers, and bankers are legally required to exercise special care to protect their clients and not misuse their information. While online companies also hold personal and sensitive information about the people they serve, they are not required to protect consumers’ data. This leaves users in a vulnerable position; they are expected to understand the information they give to providers and how it is being used – an unreasonable expectation for even the most tech-savvy consumer. By establishing a fiduciary duty for online providers, Americans can trust that their online data is protected and used in a responsible way..
The idea itself is not new. Jack Balkin, a professor at Yale Law School and the founder and director of Yale’s Information Society Project, proposed the idea of an information fiduciary back in 2016 but this is the first major attempt at federal legislation that would hold companies accountable for how they use consumer data. Said Schatz:
We’re not using the word fiduciary, because that has a tendency to create confusion because of various other legal connotations. But what’s clear is that there’s an opportunity to do something big and bipartisan on privacy and that these companies are not going to voluntarily behave. They lack the will. And I think they’re not even sure what they would do if they could conjure the will…They need to be overseen by federal agencies with real authority to make rules and levy fines.
The Data Care Act establishes three key duties that will require providers to protect user data and will prohibit providers from using user data to their detriment. Sen. Schatz described those duties thusly:
The duty of care, which is essentially cybersecurity, to secure the data, and to inform people if there are breaches…
A duty of loyalty. Loyalty, in my view, is the most important and foundational aspect of the bill, which is to say that whatever the circumstances are, the data being collected online, whether it’s through the Internet of Things, or through a social network, or from the cable company or whatever, whomever collects the data has a duty not to utilize that data to the detriment of the user.
Third, is the duty of confidentiality, which essentially attaches the first two duties to any partners or third-party providers that may have a relationship with the company that originally collected the data.
The act grants rule-making authority to the Federal Trade Commission to implement the act. A violation of the duties will be treated as a violation of an FTC rule with authority to levy hefty fines on violators. States may also bring civil enforcement actions, but the FTC would be empowered to intervene.
In addition to Schatz, the Data Care Act is co-sponsored by U.S. Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).
There are a number of things to like in the Data Care Act. It moves away from a framework where internet users bear all the responsibility and risks of protecting themselves online and have few remedies for violations. It empowers the FTC—which has a good reputation for fair-mindedness to make rules and impose penalties. It lets state attorneys general enforce new protections when they need to do so. It has the cautious endorsement of organizations like the Electronic Freedom Federation and others.
There are some industry-friendly “weasel” rules thrown in; i.e. companies have to notify end users of a data breach only when “sensitive” data are breached. The definition of “sensitive” data is a bit skimpy.
The bill is regarded even by its supporters as a starting point, not a final product. It will need Republican support and ideas to make it into law.
Nonetheless, there is reason for optimism that some sort of privacy protection law will be passed into law this year if only because the Big Tech industry’s cookie monsters are scared silly of the new tough California privacy law that it goes into effect in 2020. A friendlier Federal law would supersede that.