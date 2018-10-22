Share on Facebook Share on Twitter Share on Google+ Share on LinkedIn +

It has been a remarkable year of progress in advancing the rights of individuals to better control their personal data. With the implementation of the European Union’s General Data Protection Regulation, passage of a strong privacy law in the largest state in America, and new privacy laws and regulations in Argentina, Brazil, and India among others, we are witnessing a very real rebalancing of power between companies and internet users.

I still believe in the power of digital technology to deliver economic growth and innovation, social progress, and advances in areas like healthcare, transport, and environmental protection. These prospects are exciting, but as with many new technological advancements and emerging business models, we have seen exuberance and abundance, and we have seen missteps and unintended consequences. The moves to better recognize the importance of individual respect and dignity in our data-driven world are welcome and will go a long way toward correcting prior missteps, but we still have a lot of work ahead.

In many ways, the EU has taken the leadership role in driving forward a rights-based framework for privacy law and we have seen countries around the world, such as Brazil, use it as a basis for adopting their own data protection legislation. The US, the home to so many of the truly innovative internet companies of today, is playing catch-up.

My organisation, the Center for Democracy & Technology has been calling for a baseline privacy legislation in the United States for nearly 25 years, and now it appears as though the US Congress is serious about taking up the debate. I recently testified before the US Senate, arguing why this is a pressing need, and how lawmakers should go about it.

In my testimony, I highlighted how the current US legal structure on personal data simply does not reflect the reality that the internet and connected services and devices have been seamlessly integrated into every facet of our society. Our schools, workplaces, homes, automobiles, and personal devices regularly create and collect, and, increasingly, infer, intimate information about us. Everywhere we go, in the real world or online, we leave a trail of digital breadcrumbs that reveal who we know, what we believe, and how we behave. Overwhelmingly, this data falls in the gaps between regulated sectors.

The lack of of an overarching U.S. privacy law has resulted in the regular collection and use of data in ways that are unavoidable, have surprised users, and resulted in real-world harm.

While U.S. law does have meaningful and solid privacy protections in certain areas, such as healthcare, this sectoral approach is no longer sustainable. Without legislation, we are stuck in a framework based on “notice and consent” for the foreseeable future. “Notice” is provided through a presentation of legal terms via a privacy policy, while “consent” is any action that signifies the acceptance of those terms by the user.

This model encourages companies to write long, overly permissive privacy policies that entice users to agree to data collection and use by checking, or not unchecking, a box.

This model persists globally despite the fact that few individuals have the time to read privacy notices, and it is difficult, if not impossible, to understand what they say even if they are read. We need a more user-focused approach.

As US lawmakers move forward on privacy legislation and policy makers globally consider their own approaches, they should include several of the same rights and obligations found in the GDPR. US federal privacy law should include basic rights for individuals to access, and in some instances, correct their personal data held by companies. Individuals should also have the ability to easily delete or move information out of services.

A baseline law should also enshrine the right to know how and with whom personal data is shared. Where feasible, these rights should apply not only to data that users have shared with a company, but also to information that a company has observed or inferred about users, such as their location, web browsing information, and advertising categories they have been placed in. This must be accompanied by strong enforcement tools available to agencies at the federal and state levels.

Going even further, the US and other nations should declare certain data practices presumptively unfair. There are some types of data and some processing practices that are so sensitive that they should be permitted only to provide a user the service they requested, and be prohibited from entering the opaque and unaccountable market of secondary uses.

Some examples of this are precise location information, the use of biometric information to identify individuals, and the use of healthcare information or children’s information for targeted marketing.

Momentum toward greater autonomy and agency of personal data, and ultimately greater digital dignity for all, is very real. Ultimately, privacy is about reclaiming respect for our digital selves by providing individuals with more agency around their data. Data Privacy and Protection Commissioners are poised to make this an even more global movement and have the opportunity set the next generation of data protections that will shape our digital futures.