The tech industry, which reaps billions of dollars by harvesting personal data and using it to sell targeted advertising and other services, opened the door to federal data privacy regulations today in a proposal by ITI, a lobbying organization for tech companies.
The Information Technology Industry Council, which represents the policy interests of companies including Facebook, Google, Twitter, and Amazon, released a conceptual framework for Congressional legislation that it says “advances the privacy rights of consumers and defines the responsibilities of companies in using personal data while continuing to enable the innovations that transform our lives.”
Critics, however, see the ITI guidelines as a way to shield technology companies from even stricter constraints that might be imposed in the aftermath of a series of company data breaches that exposed sensitive consumer data to criminals, hackers, and political operatives—most notably, Facebook’s loss of control over millions of personal profiles to outside companies including Cambridge Analytica, a data firm that claimed it could influence voter decisions in U.S. elections.
“The ITI might as well have called [its proposal] ‘a data collector’s Bill of Rights,'” says Jeff Chester, executive director of the Center for Digital Democracy, a non-profit advocacy group that focuses on tech-related consumer issues such as data privacy and net neutrality.
Congress has been summoning tech firms to hearings on the privacy issue, and continues to mull possible legislation.
Chester says Congress should model its regulatory scheme on the European Union’s General Data Protection Regulation (GDPR), a stringent regulatory framework that imposes severe penalties on companies that violate the privacy of individuals whose data comes under the E.U.’s jurisdiction.
The ITI says its own proposal “offers an interoperable solution that can serve as a model for governments worldwide and a workable alternative to a patchwork of laws that could create confusion and uncertainty over what protections individuals have.”
The regulatory environment around personal data varies from country to country, and increasingly, within the United States. State legislatures have been considering their own consumer data privacy protections, and in the summer California passed a law that contains elements similar to the GDPR’s. If Congress passes a data privacy bill, however, it might pre-empt such state laws.
“Google, Facebook, and other companies want [federal] legislation as a way to undermine the GDPR and the California law,” Chester says.
The ITI says its proposal would help consumers better understand how their data is collected and used, support certain controls over personal data use, and support regulatory mechanisms to hold companies accountable for violations. Consumer rights would include “the right to access, correct, port, delete, consent, and object to the use of personal data about themselves.”
The ITI framework also advances industry goals by calling for the alignment of privacy protections across the globe, and “avoiding onerous process requirements that degrade the user experience, inject unnecessary costs into the ecosystem, or otherwise deter continued innovation and the participation of small- and medium-sized enterprises in the digital economy.”
The state of U.S. privacy protections depends on who controls Congress in 2019, Chester says. Opponents of the industry guidelines will be releasing their own model proposals, he says.
“The privacy advocates are going to fight,” Chester says.
Image credit: Copyright Andy Emel; used under standard license via Depositphotos