Data privacy in the United States isn’t in a good place. As it stands, it’s a confusing system that’s failing to ensure consumer protection, economic competitiveness, and the incentive to innovate. But as the 116th Congress begins to set out its agenda, data use and regulation will certainly be a high priority, and lawmakers should try out something that works for everyone involved.
The data privacy regime of the United States is one that’s made up of varying state privacy laws—like the draconian California Consumer Privacy Act—with industry-specific federal regulations. As a result of various competing obligations, compliance costs are high, especially for industries under more onerous obligations. In a data-driven economy, this effectively acts as a form of protectionism where highly regulated industries suffer, as evidenced by the slower pace of innovation in health care and education.
When regulations seek consumer protection at all costs, they’ll always limit data access.
Where an industry has no regulation, self-regulation is bound to happen. So it’s no surprise that the information technology sector, which has historically been very lightly regulated, has proven to be the most innovative in the United States. But recent innovations such as big data analytics, artificial intelligence, and cloud computing are increasing across industries, and ensuring a level playing field is essential to ensuring these technologies result in widespread economic growth.
Consumers have been taking issue with tech, as Americans are increasingly shocked by how much of their data corporations have collected. This concern is valid, but it must be balanced with the need to ensure data is accessible and usable for companies—maintaining American competitiveness. In his book, AI Superpowers: China, Silicon Valley, and the New World Order, Kai-Fu Lee, one of China’s leading venture capitalists, argues that in the coming decades, the enormous amount of data China collects will fuel its innovation dominance over the United States. There’s a good argument to be made against the simplistic narrative that data is the only thing that allows for dominance, but no matter what, it’s undoubtedly valuable.
When regulations seek consumer protection at all costs, they’ll always limit data access. The European General Data Protection Regulation (GDPR) does just that. And it’s telling that of the 20 largest tech firms in the world, none are European. As the European Union has been the first mover in crafting unified privacy frameworks, Congress must act to provide an innovation-friendly alternative, lest poorer regulatory standards become the benchmark by which global regulations are drafted. Good policy innovation from the United States would set a standard for a global privacy regime that is both pro-consumer and pro-innovation.
We Need Nuance and Flexibility
Approaches like the GDPR that seek to maximize consumer protections fail to acknowledge the importance of data collection in securing innovation. An approach rooted in nuance and flexibility is much better than one that treats all data as equal. And users usually aren’t concerned with the vast majority of the data they share, willingly exchanging it for a better online experience. Of course, there is usually some highly personal and sensitive information that ought to be secured. Maximizing consumer protection isn’t the only approach to doing this.
In order to balance the interests of consumers and producers, Congress should take lessons from the “grand bargain” proposed by the Information Technology and Innovation Foundation (ITIF). Their report argues that new data privacy rules will need to distinguish “between non-sensitive and sensitive personal data” and between entities that are critical or non-critical services, meaning data that’s sensitive and used by critical services—like finance or health care—would be subject to higher standards that would ensure consumer protection. But non-sensitive information used by non-critical entities, like the kind retail sites would need, would balance the interests of users and producers.
An approach rooted in nuance and flexibility is much better than one that treats all data as equal. And this is exactly the kind of data privacy proposal that Congress should take seriously if we’re ever to emerge from the Dark Ages of privacy law.