Unlike Europe the United States doesn’t have GDPR, but that could change with the introduction of an American privacy bill put forth by 15 Senators.
[White House Proposes an American GDPR]
American Privacy Bill
Back in September, Rep. Suzan DelBene, a Democrat from Washington, introduced a privacy bill that would change the way consumer data is protected. Then in November Sen. Ron Wyden, a Democrat from Oregon introduced a bill that would give CEOs jail time for lying in mandatory reports to the FTC.
Now, a group of 15 Senators have introduced a bill called the Data Care Act [PDF]. It will require companies that collect customer data to take reasonable steps to keep it safe.
And it has provisions that prevent companies from using the data in ways that could harm consumers. It would be enforced by the FTC, and let states pursue their own legal actions against companies for privacy violations. In certain ways it seems similar to HIPAA, and how doctors handle patient information. Under the Data Care Act, companies have to fulfill three duties:
- Duty of Care: Companies need to reasonably secure individual identifying data from unauthorized access; and quickly inform users if unauthorized access (data breaches) have occurred.
- Duty of Loyalty: Companies can’t use individual identifying data in any way that benefits the company while harming the user, would result in physical or financial harm to the user, and would be offensive to a “reasonable” user.
- Duty of Confidentiality: Companies can’t disclose, sell, or share user data without the user’s permission. In cases where data is disclosed/sold/shared, the company has to take reasonable steps to ensure the recipient of the user data fulfills these same three duties.
Sen. Brian Schatz, a Democrat from Hawaii who is one of the bill’s sponsors, said in a press release:
People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them.
The Data Care Act gives the FTC the power to fine companies for breaking this law, but doesn’t include jail time for CEOs. Read: [Proposed Bill Would Jail Executives Who Mishandle Customer Data]
Andrew:
The history of the health sector alone amply demonstrates that this is a necessary step. Tech companies have been invested with enormous amounts of potentially damaging data on their user base, which means they should be responsible, first to their clients/customers as to how they store, protect and use those data; as well as to society writ large as to their stewardship of said data. This is a relationship of unequal power that is sustained by trust. If that trust is violated, then there need to be recourse and repercussions, both professional and legal/criminal for the violator.
For any who think such regulation either invasive or harsh, they should be aware that in every other profession or industry in which you have such access to people that you can substantially affect or cost them their lives, those industries and professions are already regulated, including in some cases, by quality assurance boards and reporting systems. The medical/healthcare provider, insurance, legal, engineering, law enforcement and transportation industries, have all come under such oversight and regulation, and necessarily so.
Law makers have been slow to catch up to the excesses already taken by tech industry with respect to data privacy, domain and the personal safety and security of the user communities. As Tim Cook recently averred, such oversight and regulation is inevitable.