2018 was undoubtedly the year that data privacy took centre stage, with the questionable practices of several social media giants concerning the use of user data held up for public scrutiny.
Facebook was at the heart of this, with the sharing of user data with third parties repeatedly called into question.
Just before Christmas, it emerged that Facebook had allowed third-party advertisers, including Spotify and Netflix, access to users’ private Facebook messages.
This revelation, as well as many others, has not only tarnished the reputation of social media giants, but some are predicting that it could spark debate this year over US privacy law and its shortcomings.
Could the US benefit from the introduction of EU-style privacy laws, and will they be adopted?
GDPR and the US
Introduced in May, the European Union’s General Data Protection Regulation (GDPR) allows individuals better access to the data companies have on them, and requires companies to obtain consent before collecting such data, risking hefty fines if they do not comply.
Although US companies have to comply with GDPR if they have any data on European Union citizens, data protection regulations on the same scale for US citizens do not exist.
The US does have some of its own privacy regulations, such as anti-spam legislation or the Federal Trade Commission Act. There is also state-level legislation such as California’s Consumer Privacy Act, which requires business to disclose what information they hold on individuals and is due to come into effect in 2020.
However, this patchwork of legislation by no means as far-reaching as GDPR. President and CEO of non-profit organisation Center for Democracy and Technology Nuala O’Connor explains that current US privacy law makes it difficult for individuals to understand what data companies have on them:
“Under the current patchwork of privacy laws in the US, it is impossible for individuals to understand, let alone manage, the many ways their data is used.”
The rise in public awareness of online data privacy may mean that legislative change is welcome. According to Diginomica, a study commissioned by the SAS last year revealed that 67% of US citizens believe that the US government should do more to protect data privacy.
IAITAM President and CEO Barbara Rembiesa believes that Facebook has gone beyond what most people would deem an appropriate use of user data:
“The year 2018 has been a difficult one for Facebook. Between testifying before both domestic and international courts as well as the bad publicity surrounding the Cambridge Analytica scandal, one would think that Facebook would be careful how it handles and distributes personal information. This time, it turns out Facebook was selling access to your personal data. This includes private conversations.”
Initially it looked unlikely that the US would adopt its own version of GDPR, with GDPR compliance expensive and time consuming, as well as raising the issue of commercial freedom, but the actions of Facebook and others highlight shortcomings in existing US privacy regulation. In other words, Facebook may have overstepped the mark for what is considered an acceptable use of data enough times for the public to support legislative change.
Some have gone so far to predict that 2019 may see the introduction of legislation that bears some resemblance to GDPR.
Rembiesa believes that the negative publicity received by the likes of Facebook may kickstart calls for greater regulation:
“Advertisers and marketers used their wide-open access to harvest PII [Personally identifiable information] from Facebook users without the knowledge of the individual. As a result, some users of Facebook and other social media platforms are now looking for a solution to protect their data as well as their digital identity. Those same people have looked at the EU and their sweeping regulation that turned the power and authority of protecting PII back to the individual: the GDPR.”
Some are calling for legislative change
Rembiesa believes that scandals such as Cambridge Analytica may speed up legislative change:
“The recent Facebook discovery has people looking for the adoption of something like GDPR in the US faster than anticipated. It seems that people feel they are able to make decisions about their personal data better than any company or organisation would.”
There are also some people within Silcone Valley calling for tougher privacy legislation on a federal level, with Apple CEO Tim Cook publicly stating that regulators should have more control over the ‘weaponisation’ of personal data at the International Conference of Data Protection and Privacy Commissioners earlier this year.
The Center for Democracy and Technology (CDT) has also set out a draft federal privacy bill, a framework for new US privacy laws that would grant citizens the right to access their data, have it removed from an organisation’s database and addresses third-party data sharing.
There has also been lobbying from some Democratic senators, proposing a Data Care Act that would hold large tech companies responsible for ensuring that user data is stored securely.
Companies may already be preparing for the extensive legwork needed to ensure compliance. According to the International Association of Information Technology Asset Managers, many US based companies are actively recruiting data protection officers in preparation for possible new regulations.
Although it is worth noting that new legislation could not be brought in overnight, with GDPR first proposed back in 2012, the conversation surrounding data privacy has changed.
Michelle Richardson, Director of CDT’s Privacy and Data Project believes that changes to regulation need to be made in order to reflect this:
“For legislation to be more than a band-aid, we have to rethink the relationship between businesses and the people whose data they hold. We need to establish sensible limits on data collection, use, and sharing, so that people can entrust their data to companies without accepting unreasonable risk.”