In the best of times, a new US president has a lot on his plate. But these times are not the best — they are extraordinarily challenging. And while the new administration has a lot of priorities — getting the pandemic under control, stabilizing the economy, dealing with record unemployment, and more — it also needs to look at an issue that has ballooned in the last year and set legislators, companies, and even many citizens on edge: data privacy.
Privacy during a pandemic is a tricky balancing act. On one side, personal data is being used to benefit public health — for contract tracing, self-reporting, and online screening tests, and more people are open to disclosing and sharing information. Personal data is also being distributed and used in new ways. For example, the government is working with Verily, a Google sister company, to offer online screening tests that require a Google account. One security company is applying surveillance cameras to detect coronavirus hazards by tracking locations that break occupancy rules and spotting fevers. And let's not forget millions of remote workers are now blurring the lines between home and work and challenging data privacy concerns along with it.
On the other side, there's public backlash against data sharing. Some governments have suggested using COVID data for uses other than diagnosis and contact tracing, and others have tried. Also, the vague changes being made to privacy policies on messaging and similar apps are causing alarm. The increased pressure for more regulation is rising fast.
The importance of data protection and privacy will continue long after the pandemic is behind us. This is an opportunity for the new administration to create real change and prioritize some beneficial, transformative, and impactful privacy initiatives.
Where should the administration begin? We see three main areas.
1. Restructure Technical Categories of Data
Right now, all personal data is treated the same. If it can be used to identify an individual, it's personal data. Therefore, data privacy applies to everything, and protecting it involves casting a really wide net. In practice, this doesn't work. All data is not equal. For example, the location data your mobile phone uses to track your whereabouts isn't the same as the location data your smart vacuum cleaner uses to roam around your house. But technically, they are the same category of data and must therefore be treated with the same level of sensitivity, protection, and oversight. This creates excessive governing and impedes innovation.
The solution? Create a data classification based not just on its technical category but also its potency.
This is one area where the government can take charge. Acknowledging the variety of personal data and degrees of sensitivity within categories will make a huge difference. Big tech, small innovators, legislators, policymakers, and privacy experts who already deal with this will approve. And it will lay the foundation for the most modern privacy framework in the world.
2. Pick Up Where Privacy Shield Left Off
When the European Union struck down the Privacy Shield last summer, many businesses were left without a safety net. The Privacy Shield was designed to support transatlantic commerce, but US surveillance practices were deemed incompatible with the EU's data privacy requirements. So, it fell apart and almost took Standard Contractual Clauses with it.
More than six months later, businesses are still unclear how to build a forward-looking framework to legitimately transfer EU data into the US. This especially affects smaller companies that can't adopt the extra measures the European Data Protection Board requires. The previous administration did not pick up the ball, but the Biden administration has an opportunity to quickly address the problem.
3. Propose Federal Privacy Legislation
Federal privacy legislation is an obvious answer but also the trickiest. It's not a new topic; it's raised every time a new state-level privacy bill is introduced, as every addition increases the fear of exponential complexity. Most state bills and laws have the same motivation — to safeguard the rights of the individual. That's a good thing.
Most local laws overlap by 95%, but that other 5% is lethal. That 5% difference multiplied across dozens of states has the potential to create colossal complexity. This was the catalyst for GDPR. Chaos ensued when the 28 EU countries, despite a history of coordination and cooperation, created individual, uncoordinated data privacy legal frameworks. GDPR resolved a real problem of data transfer between these countries. The US should learn from this. State-by-state rules can increase difficulties and expense.
It's not just complexity that creates problems. It's the aftereffects. With so many jurisdictions, accountability is an issue. Because it's almost impossible to keep track of where rights have been violated, data subjects lose faith in their rights to data privacy. Lack of coordination leads to finger-pointing — it's not on me, it's on you — and non-adherence. Whether deliberate or otherwise, any level of noncompliance undermines all the individual laws.
All Signs Point to Yes
Indications are that the new administration is headed in the right direction. First, it appointed a seasoned privacy professional, Christopher Hoff, to a key role at the Department of Commerce. Hoff will oversee discussions with the European Commission on a new framework. An opportunity for new enforcement under the Federal Trade Commission, specifically advocating for more emphasis on individual liability, is also on the radar.
The process for protecting data privacy won't be all rainbows and unicorns. There will be stumbling blocks. However, the federal government is in an excellent position to make significant progress — not just because it's needed, but also because it's time.