Federalizing Privacy Rights: How Tech Giants Went From Protesting Privacy Laws to Supporting Them
December 22, 2018Archives . Authors . Blog News . Certified Review . Feature . Feature Img . Recent Stories . Student Blogs ArticleIn an impassioned speech in Brussels this October, Tim Cook, the CEO of Apple, threw his weight behind a federal privacy law, denouncing the data collection practices engaged in by his fellow technological giants such as Google and Facebook. While it is not new for tech companies to push for stronger privacy laws, the renewed impetus for the movement comes from the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, and California’s Consumer Privacy Act, which will go into effect on January 1, 2020. On the heels of California’s legislation, other states such as Georgia have also introduced similar bills. This patchwork of legislations across states with different levels of obligations has pushed the tech industries to petition Congress to enact a federal legislation. Earlier in November, Senator Ron Wyden (D–OR) introduced a federal privacy bill, but many news outlets report it as unlikely to be passed into law. While the tech companies’ interest may stem more from the desire to avoid compliance with 50 different laws on privacy, this post analyzes the public policy implications of a federal legislation on privacy for the complicated digital economy.
Present federal protections for privacy rights:
The current approach at the federal level in regulating the collection and use of private information is sector-specific, with no umbrella legislation that prevents or regulates how sensitive information is to be used. The only such umbrella legislation on privacy is the Privacy Act of 1974 which applies only to the collection, maintenance, use and dissemination of individual information by federal agencies. Paul Schwartz describes the sector-specific approach to privacy in the United States and explains that federal sector-specific legislations such as the Video Privacy Protection Act and the Wiretap Act merely establish “floors” upon which several states have enacted much more stringent regulations. Paul M. Schwartz, Preemption and Privacy,118 Yale L.J.902, 919 (2009). There is also a sprinkling of regulatory requirements imposed by agencies such as the Securities and Exchange Commission that require public companies to disclose material cybersecurity risks and incidents. Not only is there is no federal omnibus privacy legislation, neither is there a single enforcement authority; rather, enforcement is carried out by three actors: the Federal Trade Commission (FTC), state attorney generals who self-describe themselves as the “Internet’s police”, and class-action attorneys. By and large, however, enforcement of privacy laws at the federal level is toothless, based largely on a breach of the contractual policy of privacy that consumers agree to in click-wrap agreements, and pursued by the FTC if the activities are deceptive or unfair.
Need for a federal privacy law:
A person’s data is collected by companies such as Facebook, Amazon and Google every time he connects to the internet, runs an online search, buys products through e-commerce portals, or even communicates with his Alexa/Google Home device. All of these were being done by companies by including “notice and consent” clauses in extremely fine print in a lengthy agreement where consumers were given notice of such data collection and indicated their consent by clicking on an “I Agree” box. A study done by two researchers at Carnegie Mellon estimated that it would take a user almost 25 days of the year if they were to read every privacy policy on every website that they visit in a year. It was to impose checks on companies collecting such data that the GDPR was formulated, with requirements such as obtaining a clear indication of consent before data collection, communicating the basis of collection, retention and purpose of use of such data, and providing individuals access to the data about them that has been collected. Most of Big Tech did not welcome the GDPR’s requirements, finding them to be “burdensome.”Yet, these same companies are now pushing for a federal privacy law despite claiming self-regulation was a better solution in the past.
Most of the arguments in favor of a federal privacy law have come from within the industry itself, calling for a uniform law that sets one standard for the entire country as opposed to 50 different standards. This argument seems to be inspired by the reality that state-wide privacy laws are in the offing and will make matters complicated for Big Tech, and an effort to shape public debate by being a part of it. In response to the call for comments by the National Telecommunications & Information Administration (NTIA) on developing the Trump administration’s approach to privacy law, Amazon has called for a uniform federal law that will replace the “patchwork of different privacy obligations”, arguing that differing obligations will be expensive, time-consuming and divert resources that could otherwise be used in innovation. AT&T has framed the need for a federal law in terms of the difficulties to consumers in navigating differing and complicated state-specific legislations.
Privacy advocates, on the other hand, also welcome a federal law on the subject but have called for such standards to be a floor and not a ceiling, and strongly criticize the language of pre-emption of state laws that is adopted by technology industries. Privacy scholars, who submitted comments to the NTIA, explain that states have historically been “laboratories of experimentation” and have been willing to experiment with different approaches to regulate privacy.
Today, there is bipartisan support on the need for a federal privacy law, yet little consensus on what that law should look like. But popular opinion seems to suggest that Americans want more protections for their privacy, not less, and it is unclear whether a federal policy that preempts state requirements will accomplish this. While there is merit to the suggestion that having 50 different state laws and one federal law would only be burdensome and complicated for all actors involved, it is also important to ensure that a uniform federal policy sets the bar high enough so that it affords meaningful protection to internet users.
Suggested citation: Nayanthika Ramakrishnan, Federalizing Privacy Rights: How Tech Giants Went From Protesting Privacy Laws to Supporting Them, Cornell J.L. & Pub. Pol’y, The Issue Spotter, (Dec. 22, 2018), https://live-journal-of-law-and-public-policy.pantheonsite.io/federalizing-privacy-rights-how-tech-giants-went-from-protesting-privacy-laws-to-supporting-them/.
You may also like
- October 2024
- April 2024
- March 2024
- February 2024
- November 2023
- October 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- April 2019
- February 2019
- December 2018
- November 2018
- October 2018
- September 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- May 2017
- April 2017
- March 2017
- February 2017
- December 2016
- November 2016
- October 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- August 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- April 2011
- March 2011
- November 2010
- October 2010
- September 2010