As Congress considers several online privacy and data security bills, market-oriented experts are cautioning against over-regulation.
An all-out effort to protect individual privacy sounds good, the experts said, but onerous regulations could stifle innovative start-ups and have the unintended effect of further entrenching large internet technology companies such as Facebook and Google.
Bills filed by Sens. Brian Schatz (D-Hawaii), Ron Wyden (D-Ore.), Amy Klobuchar (D-Minn.) and John Neely Kennedy (R-La.) would address various consumer-privacy concerns, such as expanding the definition of “sensitive data” and simplifying online user agreements.
But the heavy-handed General Data Protection Regulation, implemented in Europe in May last year, and California’s Consumer Privacy Act, scheduled to take effect on Jan. 1, 2020, are also influencing the nascent congressional debate.
“Stringent data-privacy regulations like the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act require significant compliance costs on companies, even those that are rather small,” said Jennifer Huddleston Skees, a research fellow at the Mercatus Center at George Mason University.
“Larger companies are more likely to be able to absorb these costs or reallocate resources to compliance,” Skees said in an email, adding that a variety of businesses, from newspapers to video games, have already opted out of the EU market, due to hefty new regulatory costs.
That means companies such as Facebook, Apple, Amazon, Netflix, and Google, or the so-called FAANG, would have a substantial advantage over their competition, even before wielding their immense networks of lobbyists and paid political influencers.
Roslyn Layton, a visiting scholar at the American Enterprise Institute, acknowledges congressional lawmakers’ genuine concern for internet consumers, but calls it a “mistake” to equate consumer protection with increased government control.
“In Europe, the GDPR is driving the opposite of its promised results. Users report less trust in online systems as regulation has increased, and Google, Facebook, and Amazon have gained market share since GDPR took effect,” Layton wrote.
With respect to California, she noted that the state “has had more so-called privacy rules across industries than any state, yet its residents do not report feeling more private, safe, or protected.”
Data Dissemination Act
A possible solution is the American Data Dissemination Act, introduced by Sen. Marco Rubio (R-Fla.), on Jan. 16.
“In today’s post-industrial economy, you are the product,” Rubio wrote in an accompanying op-ed. “Data detailing your every move is why 34-year-old Mark Zuckerberg is worth $54 billion, and Google co-founder Larry Page is worth $50 billion.”
“Your data is incredibly valuable, and for the most part, it is not even yours,” Rubio said.
If successful, the bill would govern the collection and sale of consumer data, which not only includes items such as a user’s location and personal preferences, but also “education, financial transactions, medical history, criminal or employment history,” and “unique biometric data, such as fingerprint, voice print, retina or iris image.”
The proposal would require the Federal Trade Commission to develop rules for tech companies to follow based on the Privacy Act of 1974.
By relying on the Privacy Act as its framework, Rubio’s plan to “provide overdue transparency and accountability from the tech industry,” would require tech firms to give public notice of private records as they collect and disseminate them.
It would also prohibit most disclosures of private records unless individuals give written consent, and further calls for consumers to be able to correct inaccurate records.
The Privacy Act was ironically enacted after Watergate over fears that the government would abuse the collection of early computerized personal privacy data. Those fears now apply to privately owned tech businesses.
‘Question Who Has Access’
In March 2018, a major political scandal erupted when it was revealed that Cambridge Analytica, a British consulting firm, had harvested the personal data of 87 million Facebook users without their consent. Much of the data was used in paid political targeting efforts.
Facebook initially refused to comment, but Facebook CEO Mark Zuckerberg would eventually testify in a series of contentious congressional hearings. The scandal became symbolic of a larger problem and the urgent need for consumer protections.
“While this individual incident was sufficiently troublesome,” Rubio said, “consumers have plenty of reasons to question who has access to their data when they provide it to an online entity” and whether their data is secure.
Data breaches are another significant issue the bill looks to address. In late 2017, credit rating firm Equifax was breached by hackers who stole private information affecting 143 million people, roughly half of all Americans.
In December, the Federal Trade Commission (FTC) announced more than three times as many people were affected by compromised records involving the hotel giant Marriott International.
“According to Marriott, the hackers accessed people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. For some, they also stole payment card numbers and expiration dates,” the FTC said in a statement.
Key to Rubio’s proposal is a pre-emption feature that “shall supersede” any state laws or relevant provisions.
Although he never mentions the California Consumer Privacy Act in his op-ed or bill press release, the Florida Republican seems committed to overriding it. The California law was approved by the Democratic-controlled state legislature and signed into law by former Gov. Jerry Brown.
It includes harsh penalties of up to $7,500 per data violation, something the pro-market conservative naturally opposes.
“My bill also takes important precautions to ensure it does not entrench large, incumbent corporations. Facebook, Apple, Amazon, Netflix, Google, and others would welcome cumbersome regulations that prevent start-ups and smaller competitors from challenging the FAANG’s current dominance,” Rubio said, appearing to draw congressional battle-lines for impending negotiations.
More impartially, Mercatus Center researcher Skees said a pre-emption feature makes practical sense.
“Federal preemption of state laws concerning data privacy could prevent the development of a patchwork of state laws that place burdens on speech and interstate commerce and potentially stifle innovation,” she said.