Many media outlets are reporting that the CEOs of fifty-one “tech companies” have urged the US Congress to pass a federal data privacy law. The letter itself, from the Business Roundtable, an association which includes these fifty-one companies and others, notes that:
There is now widespread agreement among companies across all sectors of the economy, policymakers and consumer groups about the need for a comprehensive federal consumer data privacy law that provides strong, consistent protections for American consumers.
Such words, of course, is rich coming from tech companies, many of whom (if not most) have made and still mint their coin by ensuring that consumer privacy does not pose an obstacle to selling sharing personal information with advertisers and other entities. (Despite the label “tech” companies, a cursory scan of the list shows that at least half are anything but).
In a further sign that these CEOs have turned off their irony gauges, they state that an all-encompassing data privacy law is necessary because:
Consumer trust and confidence are essential to our businesses. We are committed to protecting consumer privacy and want consumers to have confidence that companies treat their personal information responsibly.
How exactly would a federal data privacy law accomplish this? Are these companies insinuating that, absent a federal law, consumers would not readily believe that companies are doing their utmost when it comes to consumer privacy? If so, those who boldly signed the letter should know that no amount of federal laws covering consumer privacy will make the average people believe that.
On the other hand, if these companies that “are committed to protecting consumer privacy” wouldn’t get hacked so often; or stopped the hacking as it happened; or figured out who the perps were soon after it happened; or discovered the data breach within hours (as opposed days, weeks, months, or even years) of its occurrence; or weren’t caught covering up data breaches… well, that would totally signal their commitment to personal data security.
The lack of a federal law is not the problem when it comes to consumer privacy. Neither is the abundance of state-level data privacy laws.
It’s a Red Herring (and Most Can Sense It)
It doesn’t take a genius to figure out that all this talk about the need for one federal law that will supersede the current mishmash of fifty state and other laws is not really about consumer privacy and responsible treatment of personal information.
As many have pointed out, this is most probably about preparing to unleash lobbyists onto a consolidated target, as opposed to unleashing lobbyists on fifty targets – a more expensive and inefficient approach at hamstringing what little protections consumers currently have when it comes to data privacy. If you’re not willing to believe in such cynicism, at least you’ll probably agree that it’s to make life easier for the companies themselves: instead of having to comply with fifty-plus laws, they have to deal with one. (How this is better for consumers has not been elucidated upon).
Such postulations are supported by passages in the letter such as this one:
Consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services
If read in the wrong light, this sentence implies consumers should not even attempt try to concern themselves with the law. Surprisingly, though, the argument is mostly right: not even lawyers can make sense of certain regulations, so what chance do people have who do not work in the legal profession?
But, this is ultimately a straw man argument: data privacy laws generally ask nothing from consumers. The laws require the aggregators and holders of private, personal data – that is, companies like those headed by the fifty-one who signed the letter – to do certain things, such as what to do if hackers intrude into their networks. Or under what conditions personal data can (or cannot) be collected. Or whether data can be collected at all.
In addition to all of this, the media has reported over the years how companies (like the fifty-one) attempted to influence and curtail the authority and capacity of the European Union’s new data privacy law that went into effect last year – arguably a “federal law” that stands in for twenty-eight local ones.
Certainly, the democratic process allows, perhaps even requires, that all voice their opinions on legislation to be passed, even companies. And yet, it’s hard to remember an instance where industry lobbied for stronger consumer privacy protections. Even now, with the EU’s General Data Protection Regulation (GDPR) being in effect for a little over one year, companies are fighting to diminish its effect on them.
As such, it’s hard to believe the Business Roundtable letter at face value.
Related Articles and Sites: