Why Is America So Far Behind Europe on Digital Privacy?
Legislators should seize the moment to pass meaningful protections for the digital age.
The editorial board represents the opinions of the board, its editor and the publisher. It is separate from the newsroom and the Op-Ed section.
In the past year, Congress has been happy to drag tech C.E.O.s into hearings and question them about how they vacuum up and exploit personal information about their users. But so far those hearings haven’t amounted to much more than talk. Lawmakers have yet to do their job and rewrite the law to ensure that such abuses don’t continue.
Americans have been far too vulnerable for far too long when they venture online. Companies are free today to monitor Americans’ behavior and collect information about them from across the web and the real world to do everything from sell them cars to influence their votes to set their life insurance rates — all usually without users’ knowledge of the collection and manipulation taking place behind the scenes. It’s taken more than a decade of shocking revelations — of data breaches and other privacy abuses — to get to this moment, when there finally seems to be enough momentum to pass a federal law. Congress is considering several pieces of legislation that would strengthen Americans’ privacy rights, and alongside them, a few bills that would make it easier for tech companies to strip away what few privacy rights we now enjoy.
American lawmakers are late to the party. Europe has already set what amounts to a global privacy standard with its General Data Protection Regulation, which went into effect in 2018. G.D.P.R.establishes several privacy rights that do not exist in the United States — including a requirement for companies to inform users about their data practices and receive explicit permission before collecting any personal information. Although Americans cannot legally avail themselves of specific rights under G.D.P.R., the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.
The toughest privacy law in the United States today, is the California Consumer Privacy Act, which is set to go into effect on Jan. 1, 2020. Just like G.D.P.R., it requires companies to take adequate security measures to protect data and also offers consumers the right to request access to the data that has been collected about them. Under the California law, consumers not only have a right to know whether their data is being sold or handed off to third parties, they also have a right to block that sale. And the opt-out can’t be a false choice — Facebook and Google would not be able to refuse service just because a user didn’t want their data sold.
While the California Legislature is still working out the precise details of the law and its implementation, other states — including New York — are hard at work on their own privacy legislation. The prospect of a patchwork of state-level rules explains why tech companies are suddenly eager for Washington to step in to set a national standard.
If a weak federal privacy law pre-empts state law, it would roll back the protections that Californians are supposed to get — and it would make it impossible for other states to set the bar even higher. That’s exactly what’s going on with privacy bills introduced by Senator Marco Rubio (the American Data Dissemination Act) and Senator Marsha Blackburn (the Balancing the Rights of Web Surfers Equally and Responsibly Act). Both offer weak privacy protections bundled with federal pre-emption. If passed, they would gut the California law. In the House, Representative Suzan DelBene’s Information Transparency and Personal Data Control Act also pre-empts state law, while offering a respectable amount of privacy protection, like a requirement for companies to secure opt-in consent before collecting user data. Still, even that bill lacks some rights that the California law provides.
The Senate bills that take privacy seriously do not contain pre-emption clauses. Senator Catherine Cortez Masto’s DATA Privacy Act, for instance, bears similarities to the California law and to the G.D.P.R., as does Senator Ed Markey’s significantly more ambitious Privacy Bill of Rights Act. Although Ms. Cortez Masto’s bill does not create a private right of action — that is, the ability for consumers to sue tech companies for privacy violations — Mr. Markey’s does, and invalidates arbitration clauses that could otherwise shield companies from individual lawsuits. Consumer lawsuits are a hot-button issue — in the California law, the private right of action exists only in a limited form thanks in part to corporate lobbying. Most interestingly, Mr. Markey’s bill requires the creation of a public list of data brokers in the United States — third party companies who buy and sell your data.
Not all bills on the table take an omnibus approach. Some appear to be highly specific swipes at Facebook…