Advancing Digital Trust with Privacy Rules and Accountability
The Challenge: A Governance Gap for Digital Privacy
The open nature of the Internet has given billions of people access to information and connected them in ways that had never before been possible. This free flow of information has enabled digital technologies to transform the economy and society, but it also creates unique governance challenges. Increasingly, the patchwork of governance structures and accountability mechanisms seem outmatched by the challenges that emerge from the digital landscape. The result is a governance gap that leaves users exposed to considerable privacy risks. Large majorities of Americans believe that they have very little to no control over the data that companies collect about them (81 percent) and are concerned about how companies use their personal data (79 percent).1 Lack of trust in privacy protections threatens to undermine the promise mobile technologies offer to improve people’s lives. For instance, last year, just over half of Americans (52 percent) decided not to use a product or service due to privacy concerns.2
Businesses are also inhibited by the current labyrinth of privacy rules. It is maddeningly difficult for developers and publishers seeking to offer digital products worldwide to know what the relevant rules are. Just within the United States, service suppliers must comply with jurisprudence governing unfair and deceptive trade practices under federal and state laws, individual state privacy laws in places like California and Illinois, and the latest terms of service of platforms such as Apple, Google, Facebook, Twitter, and Amazon. Even diligent, well-trained publishers seeking to follow the rules quickly find unnavigable murkiness as well as huge gaps and inconsistencies. The solution lies in creating systematic accountability structures that ensure users can trust their data will be treated with respect, and that provide certainty to online businesses.
The Solution: New Rules and Increased Accountability to Meet the Speed of the Internet
Governing the Internet presents unique challenges relating to complexity, time scale, and its global nature. Internet governance works best when legislatures pass broad rules, allowing technologists and specialized agencies to iron out specific rules. A new system for commercial data privacy must ensure that regulations move at the speed of the Internet.
Baseline Privacy Rules Modeled on the Fair Information Privacy Principles
In order to address the problem of the patchwork of U.S. privacy laws, Congress must pass baseline federal privacy protections modeled on the Consumer Privacy Bill of Rights (CPBR) framework developed by the Obama administration. Privacy norms must be established at the federal level, but any preemption of state laws such as California’s Consumer Privacy Act should ensure that current consumer protections in state law are the floor, not the ceiling. Comprehensive privacy legislation at the federal level should include enforceable codes of conduct and robust accountability mechanisms. A law should include privacy principles based on the Fair Information Practices Principles, and specific rules should be fleshed out through multi-stakeholder processes that lead to enforceable codes of conduct.
Globalized data flows necessitate international cooperation. The U.S. government should lead efforts to harmonize privacy rules across jurisdictions. A Track 1.5 process could help lay the groundwork for more formal coordination and harmonization. Federal funding should support initiatives that prioritize multi-stakeholder collaboration around issues of Internet governance that consider the needs of developers, platforms, and users alike. Any U.S. privacy legislation should incentivize this process, such as new sources of liability coupled with a safe harbor for companies that follow codes of conduct reached through multi-stakeholder processes.
Increased Accountability through Law Enforcement and Digital Privacy Watchdogs
Law enforcement and consumer protection agencies such as the Federal Trade Commission and state attorneys general need ample resources to enforce the law. Congress should give greater resources to traditional law enforcement agencies such as the Federal Trade Commission for privacy enforcement. State attorneys general should be granted enforcement authority for the CPBR in connection with any preemption rules.
Law enforcement authorities need nimble, technically savvy partners such as nonprofit watchdogs to ensure accountability under circumstances that do not easily fit within a traditional law enforcement or regulatory structure.3 Digital privacy watchdogs can help monitor and hold accountable privacy violators across the digital ecosystem. These watchdogs address a critical gap in digital accountability mechanisms, especially where bad practices do not necessarily require law enforcement but nonetheless erode customer trust in the mobile app marketplace.
In addition, the U.S. government should create a dedicated federal role of chief privacy enforcement coordinator whose mandate would include coordinating government agencies and activities. Creating such a role would be a significant move in the direction of prioritizing data privacy initiatives at the federal level. This position could be modeled after the role of the intellectual property enforcement coordinator and be based in the White House. Once implemented by statute, the chief privacy enforcement coordinator should provide periodic reports to Congress.
Training for Developers Based on an Enforceable Code of Conduct
A compulsory developer education and certification program would raise the bar on compliance and prevent problems before they cause risks and harms to users, or litigation and public relations risks for companies. Companies should be required by statute to ensure that developers on their platforms are trained in a curriculum that is based around an enforceable code of conduct. To support international consistency, that code of conduct should be consistent with the EU’s General Data Protection Regulation and new U.S. privacy legislation. Any training requirements should be guaranteed through platforms’ terms of service.
Digital technologies hold incredible promise to improve citizens’ lives. Governing these tools, however, requires new thinking and new governance structures. The U.S. government has, so far, been unable to provide consumers with meaningful privacy protections, while companies are burdened with navigating complex, outdated rules. Accountability structures must ensure that users trust the digital tools available to them—but these structures should not be left to any one law or law enforcement entity. A system of privacy laws, government agencies, watchdogs, and developer education programs should work together to prevent, monitor, and hold accountable privacy violations, ensuring the digital ecosystem flourishes and consumers have effective advocates.
Photo Credit: spainter_vfx / Shutterstock
Quentin Palfrey is the president of the International Digital Accountability Council and a senior fellow with GMF Digital. He previously served in the White House Office of Science & Technology Policy and at the U.S. Department of Commerce.
1 Brook Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control over their Personal Information, Pew Research Center, November 15, 2019.
2 Andrew Perrin, Half of Americans have Decided Not to Use a Product or Service because of Privacy Concerns, Pew Research Center, April 14, 2020.
3 Quentin Palfrey, “Watching the Watchers: More Accountability Needed to Ensure Responsible COVID-19 Tracing Tech,” The Hill, July 13, 2020.