US contemplates its own version of GDPR

The U.S. National Telecommunications and Information Administration has started a 30-day public hearing process to gather comments on its policy options towards consumer privacy protection.

Shortly after Europe’s General Data Protection Regulation (GDPR) came into force in late May, “a global tidal wave of new and updated privacy regulations” have followed hot on the heels of GDPR as it was called at the recent Digital Futures conference (see the picture). Regulations and laws passed in jurisdictions from India to California with other markets in between have largely modelled after the European legislation.

In the latest move, on Tuesday September 25, the US federal government, through the National Telecommunications and Information Administration (NTIA), kick-started a month-long process to hear from the public on the approach towards privacy protection.

“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” said David Redl, NTIA Administrator and Assistant Secretary of Commerce for Communications and Information. “The Trump Administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

The feedback requested is two-fold. The first part is on the outcome of any future privacy legislation. This includes:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.

All these are rather similar to what GDPR and the up-coming e-Privacy regulation are designed to achieve.

Meanwhile the NTIA is also requesting comments on the overall “High-Level Goals for Federal Action”, the key points including:

  • “Harmonize the regulatory landscape” between existing and future legislations;
  • “Legal clarity while maintaining the flexibility to innovate” to enable new business models and technologies while privacy is protected;
  • “Comprehensive application” to “all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws”;
  • “Incentivize privacy research” in technologies and services that improve privacy protections.
  • FTC should be the enforcement agency

However a few other points stand out that deserve a closer look. One probably deserves a full quote:

Employ a risk and outcome-based approach.  Instead of creating a compliance model that creates cumbersome red tape—without necessarily achieving measurable privacy protections—the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes.  Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.  Outcome-based approaches also enable innovation in the methods used to achieve privacy goals.  Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance.

NTIA’s focus is clearly to avoid heavy-handed measures to regulate what can be done, but rather giving flexibility to businesses to make their own judgement what measures to take. This is also in the same spirit as the first part of the consultation which is “focuses on the desired outcomes of organizational practices, rather than dictating what those practices should be.”

Another point that draws our attention is related to “Scalability”, which stresses that small companies operating in good faith, and 3rd party processing data on behalf of other organisations should be treated differently from big companies that own and control personal data.

The two points above combined make a balanced message for the internet giants, which are not necessarily the biggest fans of privacy regulations. While they are afforded more flexibility, they are also going to be treated more strictly if they contravene. However as we wrote earlier, because of their size, the Googles and Facebooks of the world are much quicker in ticking the compliance boxes.

One more point that worth highlighting, probably for entertainment purposes than anything else, relates to “Interoperability” with other major global legislations. Here, for whatever reason it pointedly does not refer to GDPR but uses the example of “APEC Cross-Border Privacy Rules System.”

In general, the NTIA’s approach is balanced and measured, which is largely in line with our attitude towards privacy protection. On one hand we deplore the blatant abuse of privacy by companies like Facebook and Cambridge Analytics. On the other hand, we also sympathise with the small and medium-sized businesses operating in Europe, most of which had to scramble some policies at the eleventh hour, but may still fall foul of consumers. France’s private data protection agency CNIL (Commission nationale de l’informatique et des libertés) registered a 64% increase in consumer complaints after GDPR came to force over the same four months last year.

As Mary Meeker highlighted, draconian laws could limit the exploratory nature of tech innovators. That many countries model their privacy legislation after GDPR confirmed that Europe’s policymakers are “world-class in setting standards”, as a recent article in The Economist put it. But in the same article the newspaper also highlighted the gap between Europe and the AI leaders, China and US, neither of which is role model in guarding individual privacy, though for entirely different purposes.

In a recent Telecoms.com online poll, a third of the respondents agreed with the statement that there should be “flexible rules to allow users to trade privacy for benefits”. An optimal regulatory environment should give this minority group the freedom to do so while providing the other two third consumers with strict privacy protection.

Google fights back against EU plans to impose its regulations on rest of world

Today the European Court of Justice will make a decision which will impact the global digital economy. Does the European Union have the right to impose its own data protection and privacy standards on everyone else?

The one-day hearing has been brought about because of French data protection watchdog, CNIL, pressing for Google to extend the ‘right to be forgotten’ ruling to all of its domains. When such a request is made and accepted, Google will remove content from search results in the relevant domain (e.g. .fr in France for example), but also when users from that country are searching through other domains (e.g. .com or .co.uk). CNIL argues the content should be removed from all domains, irrelevant where the user is based.

“This case could see the right to be forgotten threatening global free speech,” said Thomas Hughes, Executive Director of free speech advocacy group Article 19. “European data regulators should not be allowed to decide what Internet users around the world find when they use a search engine. The CJEU (European Court of Justice) must limit the scope of the right to be forgotten in order to protect the right of Internet users around the world to access information online.”

While it might not seem like the most damning of cases, the ripples from this ruling could quickly become turbulent waves. Google and numerous other free speech advocacy groups argue this is simply France, and the European Union, pursuing their own form of censorship, imposing their own standards on other nations around the world. Should the judges rule in favour of CNIL precedent would be set and precedent can be very dangerous.

If the European Union can force other countries into complying with its regulations, why shouldn’t others?

“If European regulators can tell Google to remove all references to a website, then it will be only a matter of time before countries like China, Russia and Saudi Arabia start to do the same,” said Hughes. “The CJEU should protect freedom of expression not set a global precedent for censorship.”

The question these judges have to answer is a relatively simple one on the surface; should governments and regulators have influence over those who live in their jurisdiction or should they be afforded power over everyone else as well? For us, the answer is incredibly simple as well; no it shouldn’t.

The whole concept of the CNIL argument is contradictory and patronising; it’s a form of digital colonialism, with France assuming it is the moral, ethical and political authority on such matters. If China or Russia were pressing for their rules to be imposed on the international stage, there would be uproar. Of course, the rules in these countries are backwards, though the principle remains the same. France should not be allowed to dictate to other countries around the world.

This is another example of globalisation trends working against the consumer. Companies like Google make use of the grey areas and cracks between the legislative and regulatory regimes of different countries. They take advantage of lighter-touch regulation in some countries, remaining out of reach of those who are more involved. The absence of an international code or ruling authority simply offers the internet players a blank rule book and encourages lawyers to look for loop-holes to ignore regulations in more privacy-sensitive countries. That said, the will of one nation, or a dozen or 28, should not be imposed on the rest of the world.

For Telecoms.com, the decision is a simple one; France should be told to govern its own country and not get involved in jurisdictions which does not concern it. The precedent set would be far too dangerous.