New ‘Bipartisan’ Federal Privacy Bill Tries To Build Consensus Support, And Basically Succeeds In Annoying Everyone
from the not-much-help dept
There are so, so, so many different discussions going on concerning internet platform regulations, and so many of the different ideas conflict with one another. But there is a general agreement that the US really, really needs a federal privacy law. Without it, we just bounce back and forth between (1) EU and other nations’ privacy laws effectively defining how the internet should work (in a way that has had tons of negative consequences, and little proven benefit), (2) various states pushing half-baked and equally problematic laws, leading to a patchwork of nonsense that’s impossible to comply with and… (3) a never ending string of data breaches and privacy scandals.
Given all of that, it seems like having a comprehensive federal US privacy framework would be a good thing. And it would be. If that privacy framework was sensible, carefully nuanced, and well drafted. Unfortunately, this is the United States, and we’re not always really good at sensible, carefully nuanced, and well drafted laws. Alas, this appears to be the case with the new discussion draft of the “bipartisan” American Data Privacy and Protection Act that was released on Friday.
Again, part of the problem with any of these attempts at regulating privacy is that most people have very different conceptions of what privacy even means. And, all too often, the conception that people have of privacy is simply that they don’t want anything “icky” to happen with their data, and that’s not a particularly useful guideline. I still think that the number one way for people to understand privacy is that it’s not a “thing” that needs to be “protected,” but rather a set of trade-offs, where the two most important elements are (1) does the user have transparency into what they’re getting for their data, and what data is being used for what purpose and (2) does the user have any control over that data. Also, any kind of privacy regime has to take into account the fact that speech rights and data privacy sometimes conflict, and when they do, speech almost always should win out. Otherwise, you end up with privacy laws being used to suppress speech. At the very least, there also needs to be some recognition of the difference between “personal data” and “stuff I observed about you.”
Anyway, that takes us to the bill that was just released. Rather than building such a comprehensive rethinking of privacy… it seems to just kinda mix and match pieces in a manner designed to try to appease lots of interests, but in the process creates a huge mess for everyone. The “headline” around the bill seems to be about the “compromise” on two of the most controversial bits of every federal privacy approach: is there federal preemption of state laws, and is there a private right of action?
Federal preemption means that this bill would wipe out many of the state laws attempting to regulate privacy. For fairly dumb reasons, this has become a mostly partisan issue. The argument against preemption is that it makes a federal privacy law a “floor” that states can improve on. The argument for preemption is basically “have you seen how fucking crazy most state privacy law attempts are, and can you imagine how any website would deal with dozens of disjointed and contradictory privacy laws in different states?” When looked at that way, the real answer should be that there is federal preemption, but that it comes along with a truly comprehensive federal bill, so that you don’t even need the states to fill in the gaps.
That is… not what this bill does. It does have a kind of preemption, but it is done in a confusing way with a number of loopholes — it lists 16 different unclear “preservations” that are not exempted, and then also something about FCC laws. And that kind of wipes away any of the good parts of preemption, because it means that states will still try to write their own laws, and twist themselves into knots to try to squeeze through the loopholes… and then we’ll all spend a decade or so dealing with pointless and distracting litigation to figure out how the courts interpret what Congress actually meant, rather than Congress just making it clear in the first place.
The other big issue, the private right of action, is also a double-edged sword. This is basically the question of whether or not individuals get to sue if they feel their privacy rights are violated, or if it needs to be the government bringing a case on behalf of the public. In theory, a private right of action can make sense, because if your rights are violated you should be able to sue. In practice, private rights of action — especially on unclear and badly drafted laws — are a mess, because they create an industry of ambulance chasing lawyers and plaintiffs filing what often feel like nuisance suits just to shake down companies for cash. Again, this can be fixed with clear and decisive drafting. And again… that’s not what happened here.
This is the problem that we come to with regulating privacy. It’s super important, but because very few people want to understand the nuances and tradeoffs and draft a law accordingly, we get these kinds of compromise bills. Bills where you can tell the drafters tried to craft a kind of Frankenstein bill out of various pieces, trying to keep enough people happy to allow the bill to pass, but in the process building a kind of monster that does no one any good.
So much of the bill seems based on failed paradigms and debunked concepts — like relying on privacy policies, which have long been a failed concept. That’s not to say there aren’t some decent ideas in the bill, because there are. For example, it has one line about how nothing in the act can be construed to limit the 1st Amendment rights of journalists (which is something we’ve seen other privacy laws fail at), but again the details are left vague — meaning litigation. It also does make some handwavy efforts to force companies to be more transparent about what they collect. But the whole bill is kind of a mess.
Just as an example, it excludes “de-identified data,” saying that this is not covered — except, as we’ve noted repeatedly, there is no such thing as truly de-identified data. There are lots of other ideas that, at a first pass may sound good — like a “duty of loyalty” including “data minimization” to not “collect, process, or transfer” data “beyond what is reasonably necessary” but again we’re back into a world where this is going to get litigated, over and over and over again, leading to massive uncertainty.
There are also a lot of fill-in-the-blank aspects to the law, putting tremendous weight on the FTC to figure out what all of this actually means, meaning that there will be further confusion and uncertainty.
In the end, we need a federal framework for privacy protection. This is a federal framework for privacy protection. That doesn’t mean it’s a good one. It seems to be the only one that could get bipartisan support, however. Sometimes “compromise” gets you to an uncomfortable middle ground that no one really likes but it’s the best possible result. But sometimes “compromise” just creates an even bigger mess. This seems to be one of the latter kinds of compromise.
Filed Under: adppa, american data privacy and protection act, congress, preemption, privacy, private right of action
Comments on “New ‘Bipartisan’ Federal Privacy Bill Tries To Build Consensus Support, And Basically Succeeds In Annoying Everyone”
The right to privacy usually gets thrown out the window by people who support it the second someone does something they feel is deserving punishment. It’s not surprising either, nor is it particularly hypocritical because have a truly private society would be significantly different than what we have currently. Even if you exempt criminality, which obviously would have to be done, you would still have a world where a lot of despicable behavior would be hidden from public view. Of course, that happens anyways, so it’s hard to argue that it would objectively be worse because people already do so many despicable things even knowing they would be shamed and ashamed if it was to become known.
But in the end I suspect such a world would be much more autocratic as the people who were best at cheating and manipulating people would gain even greater influence than they have now and those who were open and moral would have every personal foible they revealed ridiculed until they exited public life.
We still need strong privacy laws, of course, but they need to be done with more than a modicum of thought on what exactly they are meant to accomplish before just hoisting them upon everyone.
A framework??
What if your contractor said “I’ll build you a framework for a house, but beyond that, you are on your own?”
Just as with houses, where roofs, floors, walls, door, windows, plumbing, electric, and myriad other things actually matter a great deal, so do the specifics of any law, especially one that tries to address the complexities of privacy in an increasingly interconnected world.
Key point in the article: Free speech is generally more important than privacy. But again, this can be very nuanced, with a lot of room for gray areas.
Then there is the situation where one person’s views on privacy might violate the privacy of others. Ring doorbell cameras and their ilk are a good example of this. Just because one person wants video of everything that happens on their front porch to be available to everyone and their dog, does not mean that the neighbor across the street, whose entire property is also in full view of the camera, wants to allow the same thing.
I strongly believe that individuals have a very broad and fundamental right to privacy. When it comes to websites and other commercial entities collecting, selling, or “sharing” PII, the default should be “No! It cannot be required under any circumstances.” Opt-in should be at the user’s discretion.
But even that can get complicated, and beyond that it can be very complicated indeed.
Re:
Ring doorbell cameras and their ilk are a good example of this.
I was actually thinking of getting one of those, but the company still hasn’t responded to my question about setting it so it activates only when the doorbell actually rings (shitty Amazon delivery drivers). I don’t need an exterior camera to detect break-ins; I’ve got a bunch of interior cameras that are switched on at night and whenever the flat is empty.
It,ll be nice to have a law that says you can,t sell sell customers location or web browsing data to ad networks or 3rd partys without asking permission ,ALL of customers data has to deleted after a month, if the customer is no longer a user of a service, eg dating app, wireless mobile service,
this limits the damage if the database is hacked in the future.
when abortion becomes illegal the data about people going to medical services 0planned parenthood could be used against them.
Re:
Google: “Can we sell your data?”
American citizen: “Nope. Not happening, buddy.”
Google: sells data They did ask, after all.
TechDirt has written several complaint posts about bad or proposed bad privacy legislation. Why not get some people together at the Copia Institute or whatever venue you have available and put together a good proposed Federal Privacy Law and then work with one of the good guys like Senator Ron Wyden to get it worked through the Congressional System to become a law.
And FWIW, make sure that all of the parts are carefully interwoven so that when the inevitable attempts at amendments are pushed forward that they will not take into account the interwoven nature of the proposed law and will not make sense.
I don’t know if there is a way to do this, but many laws seem to have attempts at post ipso facto rewriting as to the intent of the law (see the oh so many attempts to rewrite Section 230 that require the original drafters of the law to say no-no). So, include an executive summary as the first part of the bill that state the intent of the eventual law in no uncertain terms.
Maybe even get some future lawyers and politicians in colleges to participate with class projects that do either an entire proposed bill or some focused portion of it. It would probably be good training for a future lawyer/legislator to participate in the process.
A part of the reason for this suggestion is that that good guy (OR Senator Ron Wyden) has been re-elected for a long while by the good people of the state of Oregon; however, at some point he will retire and/or not be re-elected and a decent replacement needs to get started on training now.
Fed "Privacy" bill
This is an attempt by the MAAMA companies to pre-empt the new CA data privacy legislation. FB and Google especially are pushing this bill, look to see if your local Sen or Rep is carrying water for them!
For sure if this passes Congress it will have local pre-emption, prohibitions on private right of action, and all the other billionaire provisions you should be familiar with by now.