The tide is finally turning for consumer data protection in the United States, and though internet users may have been aware that their activity was being tracked online, recent developments have shown just how much personal data the tech industry collects and shares about its users. As people growing up in the turbulent digital age, college students are at the forefront of a sea of change in the future of big data.
In June, the California Consumer Privacy Act of 2018 passed through the California legislature. The law offers consumers more transparency over the use and transfer of their personal data, including the right to know what types of information companies collect about them, as well as the recipients of that information. A pivotal provision in the bill is the “private right of action,” which permits consumer lawsuits in the case of a traditional data breach, such as the T-Mobile data breach in August that exposed the personal information of 2 million people. The law, subject to amendments, will enter into effect in January 2020.
The legislation, however, is weak compared to the behemoth European Union-sponsored General Data Protection Regulation that entered into effect this May. It gives consumers an unprecedented amount of control over their personal data, how it is used and who is allowed to use it. Crucially, it lets regulators levy massive fines up to 20 million euros or 4 percent of global turnover — whichever is higher — if companies break the rules. Under prior legislation, Facebook was fined £500,000 (about $700,000) for its role in improperly transferring the private information of 87 million users to Cambridge Analytica, a political consulting firm. Under the GDPR, the fine would have been equal to four percent of global turnover, or, put more simply, £1.4 billion (about $1.96 billion).
Facing these new regulatory threats, tech companies are intensifying legal action within an already massive framework. Facebook, for example, spent more on lobbying in the first quarter of 2018 than ever before, dangling $3.3 million in front of lawmakers to influence policy, according to a Senate filing. Facebook CEO Mark Zuckerberg and his colleagues are lobbying Congress to draft a new federal data privacy law, one that would hopefully kill two birds with one stone: erasing the California legislation and putting in place regulations that are friendlier to their data mining practices.
If we have learned anything from the revelations of Cambridge Analytica, the use of targeted advertising to unfairly influence the 2016 presidential election and the irresponsibility of tech companies that process our personal information, then it is time we call for federal data protection without the outsized influence of Silicon Valley firms. American lawmakers should adopt data protection as a bipartisan priority because the practices of data mining run amok infringe on the liberties of ordinary Americans.
With the midterm elections fast approaching, citizens would benefit from an overarching data protection law. The need for such a law is evident, especially after a CNN report revealed that Russian-linked Facebook ads targeted residents of Michigan and Wisconsin in key demographic areas during the 2016 election. The anonymous sources in the report indicated the ads filled people’s feeds with racially-tinged and anti-Muslim rhetoric. While there is nothing illegal about targeted advertising, when a company like Facebook allows the weaponization of its platform by a foreign government to influence our elections, its apathy is an affront to democracy. In a country built upon the liberty of the individual, tech companies’ treating their customers like bottomless pits of data is nothing less than exploitation.
Lawmakers should thus be skeptical of any proposal floated to them by an industry lobbyist. Facebook lobbyist Joel Kaplan warned the California law could spread to other states and act as a threat to the industry and a regulatory nightmare. To be fair, state legislatures would needlessly torture companies if they each implemented similar-but-not-identical privacy policies. Instead, the U.S. Chamber of Commerce, the Internet Association and the Information Technology Industry Council are all pushing for voluntary standards, where the companies would continue to create and enforce their own rules.
In order to ensure the privacy rights of all citizens, we should no longer accept this monopoly on the control of our data. The days of blind trust in a self-regulatory system for these companies are over, and Congress now has an opportunity to draft federal legislation with teeth to ensure the proper handling of our personal information. Such a law would reform the Federal Trade Commission, which is the current regulatory body tasked with data security. Born in an analog era, it should be reviewed for its efficacy in fighting data breaches in the digital age.
In addition, while the GDPR is not perfect, representatives in Congress should study its provisions for consumer-centric data policy with a keen eye. The GDPR requires organizations to demonstrate that they process data fairly, openly communicate with customers and employees, and not keep data for longer than required. These are common sense regulations that are missing in the U.S. on a federal level.
Congress must use the coming months to reflect on our national data security policy. Privacy rights groups in California and lawmakers in Brussels have made great progress toward a fairer alternative to the current situation, where the interests of large corporations prevail. However, there is still a lot of work to be done and firms such as Google and Facebook will fight for every byte of data. I do not attempt to demonize these companies for doing business. In many ways, big tech has improved our lives by connecting people around the world and serving as humanity’s largest pool of knowledge. However, their harm to society should not go unnoticed.
Alexander Satola can be reached at apsatola@umich.edu.