New ‘Bipartisan’ Federal Privacy Bill Tries To Build Consensus Support, And Basically Succeeds In Annoying Everyone
from the not-much-help dept
There are so, so, so many different discussions going on concerning internet platform regulations, and so many of the different ideas conflict with one another. But there is a general agreement that the US really, really needs a federal privacy law. Without it, we just bounce back and forth between (1) EU and other nations’ privacy laws effectively defining how the internet should work (in a way that has had tons of negative consequences, and little proven benefit), (2) various states pushing half-baked and equally problematic laws, leading to a patchwork of nonsense that’s impossible to comply with and… (3) a never ending string of data breaches and privacy scandals.
Given all of that, it seems like having a comprehensive federal US privacy framework would be a good thing. And it would be. If that privacy framework was sensible, carefully nuanced, and well drafted. Unfortunately, this is the United States, and we’re not always really good at sensible, carefully nuanced, and well drafted laws. Alas, this appears to be the case with the new discussion draft of the “bipartisan” American Data Privacy and Protection Act that was released on Friday.
Again, part of the problem with any of these attempts at regulating privacy is that most people have very different conceptions of what privacy even means. And, all too often, the conception that people have of privacy is simply that they don’t want anything “icky” to happen with their data, and that’s not a particularly useful guideline. I still think that the number one way for people to understand privacy is that it’s not a “thing” that needs to be “protected,” but rather a set of trade-offs, where the two most important elements are (1) does the user have transparency into what they’re getting for their data, and what data is being used for what purpose and (2) does the user have any control over that data. Also, any kind of privacy regime has to take into account the fact that speech rights and data privacy sometimes conflict, and when they do, speech almost always should win out. Otherwise, you end up with privacy laws being used to suppress speech. At the very least, there also needs to be some recognition of the difference between “personal data” and “stuff I observed about you.”
Anyway, that takes us to the bill that was just released. Rather than building such a comprehensive rethinking of privacy… it seems to just kinda mix and match pieces in a manner designed to try to appease lots of interests, but in the process creates a huge mess for everyone. The “headline” around the bill seems to be about the “compromise” on two of the most controversial bits of every federal privacy approach: is there federal preemption of state laws, and is there a private right of action?
Federal preemption means that this bill would wipe out many of the state laws attempting to regulate privacy. For fairly dumb reasons, this has become a mostly partisan issue. The argument against preemption is that it makes a federal privacy law a “floor” that states can improve on. The argument for preemption is basically “have you seen how fucking crazy most state privacy law attempts are, and can you imagine how any website would deal with dozens of disjointed and contradictory privacy laws in different states?” When looked at that way, the real answer should be that there is federal preemption, but that it comes along with a truly comprehensive federal bill, so that you don’t even need the states to fill in the gaps.
That is… not what this bill does. It does have a kind of preemption, but it is done in a confusing way with a number of loopholes — it lists 16 different unclear “preservations” that are not exempted, and then also something about FCC laws. And that kind of wipes away any of the good parts of preemption, because it means that states will still try to write their own laws, and twist themselves into knots to try to squeeze through the loopholes… and then we’ll all spend a decade or so dealing with pointless and distracting litigation to figure out how the courts interpret what Congress actually meant, rather than Congress just making it clear in the first place.
The other big issue, the private right of action, is also a double-edged sword. This is basically the question of whether or not individuals get to sue if they feel their privacy rights are violated, or if it needs to be the government bringing a case on behalf of the public. In theory, a private right of action can make sense, because if your rights are violated you should be able to sue. In practice, private rights of action — especially on unclear and badly drafted laws — are a mess, because they create an industry of ambulance chasing lawyers and plaintiffs filing what often feel like nuisance suits just to shake down companies for cash. Again, this can be fixed with clear and decisive drafting. And again… that’s not what happened here.
This is the problem that we come to with regulating privacy. It’s super important, but because very few people want to understand the nuances and tradeoffs and draft a law accordingly, we get these kinds of compromise bills. Bills where you can tell the drafters tried to craft a kind of Frankenstein bill out of various pieces, trying to keep enough people happy to allow the bill to pass, but in the process building a kind of monster that does no one any good.
So much of the bill seems based on failed paradigms and debunked concepts — like relying on privacy policies, which have long been a failed concept. That’s not to say there aren’t some decent ideas in the bill, because there are. For example, it has one line about how nothing in the act can be construed to limit the 1st Amendment rights of journalists (which is something we’ve seen other privacy laws fail at), but again the details are left vague — meaning litigation. It also does make some handwavy efforts to force companies to be more transparent about what they collect. But the whole bill is kind of a mess.
Just as an example, it excludes “de-identified data,” saying that this is not covered — except, as we’ve noted repeatedly, there is no such thing as truly de-identified data. There are lots of other ideas that, at a first pass may sound good — like a “duty of loyalty” including “data minimization” to not “collect, process, or transfer” data “beyond what is reasonably necessary” but again we’re back into a world where this is going to get litigated, over and over and over again, leading to massive uncertainty.
There are also a lot of fill-in-the-blank aspects to the law, putting tremendous weight on the FTC to figure out what all of this actually means, meaning that there will be further confusion and uncertainty.
In the end, we need a federal framework for privacy protection. This is a federal framework for privacy protection. That doesn’t mean it’s a good one. It seems to be the only one that could get bipartisan support, however. Sometimes “compromise” gets you to an uncomfortable middle ground that no one really likes but it’s the best possible result. But sometimes “compromise” just creates an even bigger mess. This seems to be one of the latter kinds of compromise.