Mending the Current Data Privacy Laws in US
Executive Summary
Despite the fact that big data allows the government to better serve its citizens, the lack of regulations in this area impedes people’s rights to privacy and safety. Our laws are almost 40 years out of date and thus unable to adequately address contemporary concerns. Unregulated data privacy laws also impose danger on citizens as either the government can step over the bounds and track people or even wrongly accuse people if anything goes wrong, or companies can target people for their own profit only. This has already prompted some states to adopt their own data privacy laws to manage this situation, and the EU has adopted a union-wide law to regulate data as well. With state-level regulations, if they are implemented by all states, would create a messy situation where different standards are being enforced in different places, causing it harder to judge whether or not an action is illegal and increase costs for companies and government to run and service that requires data collection as they need, in the worst case, different methods in different states. An overall national-level guidelines should be implemented and fortunately we do have ADPPA which is modeled after EU’s successful GDPR that is currently being discussed in the congress that has been adopted to US’s situation and incorporated some of the previously failed national-level data privacy laws.
Introduction
As soon as the internet started to be utilized in a civil context, it started a new form of social contract that people have made before with their government, but this time not only with government but with corporations as well: training privacy for safety and better services. However the current contract is evolving faster than the previous one people signed with the government. As internet gets more function, becomes more convenient, popular or even essential to the civilization, people are leaving more and marks on the internet no matter if it is their intention or not. Then along with the development of technology especially in the department of machine learning which allows people to extract more information from the data produced on internet — either posted by different people or left unintentionally by people when they are browsing online — means that we can predict people’s actions and guess precisely their intention. This power is undoubtably a double edged sword, and has proven itself to be one as it has already been swung multiple times. There are plenty of complains from the masses that their privacy is being invaded by companies and governments, and these complaints are based on actual cases of such invasion, some of which should be stopped. However this should not be the reason for stopping collecting big data and feeding it to machine learning. For if well regulated, this practice offers more convenience and security than possible negative effects.
“New Social Contract”
Countless services have been provided in this form, and one of the more important one is protection from terrorism. This threat is ever imminent and always changing based on the time frame it is based in. In a report by the Department of Homeland Security in Sep 2019, DHS recognizes the change in form of terrorism as many of their communication and propaganda has moved online, with some of their attacks changing to cyberattacks as well. Then in the report DHS mentioned that they need a better framework to combat this changed form of terrorism, and data collection is a huge part of it as clues existing on social media may link to a certain start time for a planned attack, some chat record combined with location data could indicate their next gathering. These tiny connections between evidences can only be found with the aid of machine learning and data collection, therefore they are arguing that as a necessary step, they need to be able to collect information from individuals. (DHS, 2019)
Apart from terrorism, nowadays there are more fields where big data and machine learning can be applied as well. Disaster management is one, where big datas are not only collected in geographic fields or climate field, but also people’s report and responses, along with their location information. With all these information, emergency response related departments are able to evaluate different kinds of risk in different regions, construct plans according to the perceived risks and predicted development if the disaster does happen, and how to evacuate people from the disaster. With social media being a convenient platform for people to share information regarding disasters and their experience, the emergency departments naturally are able to distribute this information quicker to all those that are in the potential area of impact, and calibrate their monitored data based on people’s reactions in different geographical locations. (Elichai, 2018) The location data is also one important type of data that government is and should be collecting, since this aid them in helping the people who needs it during times where they are unable to share their location. These situations may be medical condition, natural disaster, or criminal activities. A call to the police and they can track your position, with online platforms even easier to locate where the person is when they made any activities online.
Holes in current system
Limited Coverage by Current Legislations
Currently, there are a few major privacy laws in place to protect people’s personal information be disclosed to random organizations that could potentially harm the people that the information relates to. Gramm-Leach Bliley Act, The Fair Credit Report Act, Children’s Online Privacy Protection Act,The Health Insurance Portability and Accountability Act, and etc. These acts explicitly states what kind of information can be collected, and if a kind of information can be collected from people, how to use these data and who can use these data are also limited. For example Gramm-Leach Bliley Act requires financial institutions to tell their customers their information-sharing practices and how to safeguard users’ sensitive data (FTC), HIPAA which prevent sensitive health data cannot be disclosed unless with consent from the patient who the data belongs to. (CDC) These are acts that are beneficial to both side of the contract; the government proposed these acts but did not revoke them, meaning they have sufficient information to do what they want; and the people have not protested against these established acts, meaning they are satisfied with these acts and think they are sufficient to protect their privacy. So for this part, we can conclude that whatever privacy law is in place right now, we should keep them and make sure they are not revoked.
ECPA: An Outdated Act that Fails to Address Contemporary Problems
Then we come to some lasting problems from the past where certain rules were in place before to safeguard people’s privacy but do not fit the current world and are not updated by the government, so they are not able to do what the lawmakers intended them to do when they drafted the law in the first place. One of which is the Electronic Communication Privacy Act (ECPA) of 1986. This act, in short, restricts the scope to which the government can access electronic communication records, where some information can be obtained from providers with a subpoena; other information requires a special court order; and still other information requires a search warrant. This act has been amended multiple times after it has ben enacted, which now it applies to emails, telephone call records, and data stored electronically. (BJA) However this act does not cover one important thing that is location data. One of the most important metadata nowadays only made able by the rise of smartphones. The latest amendment has been done to ECPA is in 2008 by the FISA Amendments Act of 2008, but yet it still does not cover locational data which is stored electronically, able to be used to track down where people are and expose their privacy (living space, daily routine and etc). Currently this data is available to the government and companies whose app require locational data, or devices actively records location of the user without strict regulations.
Data Brokers: Benefiting From Missing Regulations
The last problem is mining data from public platforms and data trading by third party companies known as Data Brokers. Though on some platforms the communication between individuals are protected by law, this does not include social media where people actively post parts of their daily lives in public domain, or say things out of a variety of purposes for others to see. These actions are done willingly by the users and they own their posts which are in public domain by default and any interested party can just scrap that data off the internet and start feeding it through certain algorithms to mine information within. Sometimes people feel their right is violated in this sense, and they are rightly so to feel that way, since currently the advanced machine learning algorithms can extract even the tiniest details from a bag of seemingly unrelated information. This is why DHS, as mentioned above, is using such tool to mitigate terrorism activities. However what should be banned is data trading by Data Brokers. These companies only exist because a lack of baseline data privacy act in the United States, and they collected all sorts of personal information they could mine online: name, address, profession, income, political preference, relatives and etc. As long as it could be useful to some party regardless of their intentions, then the data is profitable, and data brokers will collected and sell it. Some of the information only government cannot collect due to restrictions by law, can be bought from data brokers since gaps in legislation, and data brokers are more than willing to sell this information to the government if the pay is higher than other buyers. (EPIC) This creates a loophole in current legislation, where the laws we enacted are not working as they are intended to be, and this needs to be addressed, otherwise it renders our previous effort useless.
Recommendations
the solutions are on the table right now — WE only need to enact them
American Data Privacy and Protection Act
Fortunately, this article is not the first one to explore all problems described above. People with interest in the people are already pushing for changes to the current messy situation of data privacy in the US. In 2018 the EU enacted one of the most well-rounded data privacy law in the world, General Data Protection Regulation, aka GDPR. Which for all types of data, generally they can only be collected if the user agrees to do so. And parties which are collecting the data can only do so if there is a specific purpose for the collected data, and they cannot collect more than needed. All data needs to be up-to-date and real. (Wolford) The US right now has a bill in congress called American Data Privacy and Protection Act, aka ADPPA. This is very much so modeled after the successful GDPR of EU, with main differences being definition of certain terms, such as ADPPA covers only US residents, exclusion of certain types of data from “covered data” and etc. But the main structure and regulations are roughly the same, which is a proven model that could be enacted in the US to serve as a baseline model for data privacy from now on. (Congress)
ADPPA is a national act, that if implemented, would govern how companies across different industries treat consumer data. It would have a set of regulations applied to all business in order to protect consumer’s data. The regulation would be based on size of the business along with other factors like type of business so that small- and medium-size businesses are not burdened by this act while trying to fulfill impossible regulation requirements. The general purpose of the regulations in this act is to prevent any entities from collecting, using or transferring covered data beyond a reasonably necessary scope to specific entities. Under this general purpose, Data Brokers are prohibited since the hole in legislation which they profit from is now filled. The act also requires entities to implement data security proportional to their size and purposes. Consumers under this act would have various rights over their covered data, including right to access, correct, and delete their data held by a particular entity. This act also ensures basic civil rights by prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics, while also requiring large data holders to conduct algorithm impact assessments. Furthermore the act provides extra support for individuals under age 17, notably excluding them from target advertising. (Congress)
Debate Over ADPPA
Even though ADPPA is a bipartisan bill that promptly solved the problems that previously similar national level data privacy policies had, it is not supported by all parties on this issue. This is not to overlook the fact that this bill has received support not only from both parties but the U.S. Chamber of Commerce as well. Neil L. Bradley, Executive Vice President of U.S. Chamber of Commerce, expressed in a letter sent to the committee responsible for pass the bill that this bipartisan, durable national privacy legislation should be passed. Though there will be some difficulties that lie ahead of enacting the bill, the chance to finally stop state-level patchwork for data privacy act should be taken as such practice only causes entities to spend more money on following up with the patchworks and confusion with all the different state-level legislations. (Bradley) And it is the state-level legislations that are in center of debate as well. The opposition side of the argument can be very well summed up by statements released by California officials: Rob Bonta, attorney general; Ashkan Soltani, executive director and Gavin Newsom, Governor of California. They all focus on the preemptive nature of ADPPA, which means ADPPA has the power to overwrite the state-level legislations and create a “ceiling” for data protection. All three of them argued in their letters that the CCPA currently in place in California right now is a much stronger data protection act, and ADPPA in its current form is only going to reduce the protection that Californian consumers are currently enjoying. They therefore demand a change in ADPPA, so that it serves as a “floor”, a baseline requirement for all states on data protection instead of a “ceiling” so it would not take away the rights which are currently enjoyed by consumers residing in certain states.(Bonta)(Soltani)(Newsom) Nancy Pelosi, while speaking about this issue referred to Governor Newsom’s objection against ADPPA and recognized his valid points regarding CCPA. While praising California for doing a good job on protecting its people, she also said that due to this objection, the bill is going to be delayed and revised upon in order to resolve these conflicts. (Pelosi)
Another Supplement Act To Deal With Data Brokers
Lastly, data brokers. With a national data privacy act, many of the activities that data brokers are performing right now will be rendered illegal and therefore stopped. However it would be good to mention that if the ADPPA still did not get passed for any reason, there is another bill in congress right now: S.4408 — Health and Location Data Protection Act of 2022. This act prevents people’s health and location data from being collected by third party companies and sell as a merchandise. (Congress) As a conclusion, the current legislations that are already protecting people’s data privacy should be kept and maintained, with the new bills in Congress pushed and enacted so the government can provide a good, overall protection to its citizens, while some of the state-level legislations should be put down in light of a national one.
