A survey conducted by Pew Research, as if we really needed one, indicates at least half of all Americans perceive their online data to be less secure today than it was a few years ago.
America, despite relentless progress on other fronts, and despite being one of the most technology- and data-driven countries on Earth, is a patchwork of privacy and data laws right now. Even net neutrality has failed at the federal level, opening the door for states like California to lead the way.
It’s time to have a serious conversation about the current state, and ideal future, of U.S. data protection and access laws.
What Do Data Laws Currently Look Like?
The ideal outcome is likely a comprehensive, federal-level law in the U.S. to govern how companies collect, handle, store and use personally identifying data. Up to this point, we’ve only drawn up laws and regulations for specific applications and certain industries. Health care, for example, is one sector that takes privacy seriously as a matter of law.
HIPAA is a strong privacy-related data law — but it’s extremely limited in scope and holds only health data companies to rigorous standards. There are still other sets of rules for academic health records and immunization records. But every other business and industry requires data to operate and compete as well, which means current laws, while well-meaning, aren’t remotely adequate.
We made health data a priority, which is a good place to start. But it’s time to get a little more real about the role data has come to occupy in modern industry. With some predictions saying our collective data generation will increase a thousand-fold by 2020, it’s time to start collecting good ideas and putting them to work at the federal level in the U.S. Thankfully, there are some good places to start.
Who’s Making Progress Improving Data Laws?
Currently, a potential gold standard for comprehensive data protection laws is the EU’s GDPR, or General Data Protection Regulation. It became law in 2016, but it’s a reimagined version of a 1995 law. In other words, America has been behind the times for a while already. And, mind you, the EU is not just one country, but an affiliation of nations. This law will touch more than 500 million lives and has already redrawn portions of the Internet.
In a nutshell, GDPR identifies “data controllers,” “data processors” and “data subjects” as legally distinct entities. “Data subjects” — that’s you and me — are the ones about whom data gets collected daily and hourly by “data controllers” and studied by “data processors.”
GDPR requires the anonymization of all personal data and defines “personal” data as anything related to a subject’s address, name, IP address, RFID or cookie data, racial and sexual identity, biometrics, health and genetic data, political affiliations and more.
In other words, the EU has drawn up guidelines on which parties are responsible for the safety and anonymity of personal data, who is culpable in the event of a breach, who is under protection and what type of information the law protects. It provides severe punishments for companies and entities found to have abused personal data for any reason.
The U.S. has drawn up none of these legal benchmarks.
United States Data Laws of the (Near) Future
Will the United States adopt a law or series of laws that looks like the EU’s GDPR? Most likely, according to many U.S.-based companies, which have changed their data policies in response to GDPR merely to play it safe. They may be reading the writing on the wall and anticipating similar rules to come into place soon. Regardless, it’s clear GDPR is already exerting pressure on several industries.
Many other voices say that, yes, the time is right. Both sides of the Atlantic have witnessed what some of the consequences of patchwork data laws look like: American elections conducted in virtual realities and millions hoodwinked into voting for Brexit. In addition to general worries about data theft, identity theft, ransomware and all the rest, our lack of serious data laws now finds itself up against personalized echo chambers and the end of critical thought.
Individual American states — our “laboratories of democracy” — are positioned to lead here. In direct response to the Trump-era repeal of net neutrality rules, the California general assembly decided to instate neutrality rules at the state level. Their bill will ensure ISPs treat every Californian’s web browsing equally, among other protections.
State-level laws like this are a reminder of two things: first, that states can often fill leadership vacuums at the federal level, and second, that safeguarding how data gets transmitted is just as important as safeguarding the data itself. Future data laws in the U.S. will have to prioritize privacy protections for users, in addition to holding data facilitators like ISPs to far higher neutrality standards.
Unless we hold online social platforms, search engines, websites and ISPs to higher standards where neutrality and data privacy are concerned, we’ll continue seeing more world citizens being served content that reinforces their beliefs and weaponizes their credulity. Rewriting data laws isn’t just about protecting what’s ours. It’s also, in part, about protecting the future of information.