In the 21st century, disclosing personal data in order to access
useful online services is nearly unavoidable, but many people worry
that they don't have any control over how much gets disclosed, who
gets to use it, or how it gets used. The United States has, with
certainly exceptions (e.g. credit records, video rental history,
medical data, students' educational data, the content--but not some
header data--of emails on non-private ISPs), generally left the matter
to voluntary self-regulation. But recent events, including unpopular
changes to Facebook's privacy policies, large-scale data breaches (a
hack of Sony's PlayStation network resulted in over 77 million users'
records being leaked), and LinkedIn selling users' personally
identifiable browser history to advertisers, have many people thinking
that it's time for a more robust and consistent framework for
protecting personal data.
President Obama has recently proposed a "Consumer Data Privacy Bill of
Rights", focusing on transparency, respect for context (data collected
for one reason can't just be repurposed for unrelated uses), security,
access and accuracy (you should be able to get at your own data),
focused collection, and accountability. But even this proposal falls
far short of the European Union's draft Data Protection Regulation,
which includes a "right to be forgotten" (to insist that
no-longer-necessary data be deleted), a right to "data portability"
(taking your data to a different service), an insistence that consent
to data collection be made explicit, and a requirement that default
settings be privacy-preserving ones. By following the EU's lead, the
United States could protect consumer's privacy while simplifying
regulatory compliance for US businesses.
But is a one-size-fits-all approach to data protection really wise or
necessary? Perhaps the draft Data Protection Regulation is actually a
step in the wrong direction. Mandating that every company appoint a
"Data Protection Officer" and be liable to potentially ruinous fines
(up to 2% global annual revenue) will make it riskier and more
expensive to create innovative businesses, and would be potentially
disastrous to online advertising--a business that underwrites an
enormous amount of free and high-quality content. More fundamentally
troubling is the unavoidable clash between privacy and free
expression--because after all, a right to privacy is a right to stop
someone from saying something about you. Does taking a picture of
someone infringe their right to privacy? Scholarly analysis of
already-collected, but possibly personally identifiable, data? While
the Draft makes exceptions when processing data "solely for
journalistic purposes or the purpose of artistic or literary
expression," and more limited exceptions for "research," just how
narrow would "solely" be applied here? Maybe the United States, with
its robust First Amendment protections for free expression, has the
right idea after all.
What do you think? Come to the debate on September 4th and share your views!
"We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy
Bill of Rights” to Protect Consumers Online":
"EU Data protection reform: Frequently asked questions":
"The tension between data protection and freedom of expression"
"A Brief History of Information Privacy Law"