By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.
Cisco yesterday “issued a call to governments and citizens around the world to establish privacy as a fundamental human right in the digital economy,” according to a Cisco press release.
Other Big Tech companies have already endorsed drafting a federal privacy law, as reported by Ars Technica in Cisco, like Apple and other tech giants, now wants new federal privacy law.
Is this a sign that tech executives have suddenly developed misgivings about how the companies they’ve created collect and misuse our data?
No, not exactly.
As the New York Times reported in August, in Tech Industry Pursues a Federal Privacy Law, on Its Own Terms, in the wake of California adopting a sweeping privacy protection law:
In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.[Jerri-Lynn here: my emphasis.]
“We are committed to being part of the process and a constructive part of the process,” said Dean Garfield, president of a leading tech industry lobbying group, the Information Technology Industry Council, which is working on proposals for the federal law. “The best way is to work toward developing our own blueprint.”
What Has Cisco Proposed?
Let’s turn to that Cisco press release again, in which the company urges three basic principles for US data privacy legislation:
- Ensure interoperability between different privacy protection regimes;
- Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus;
- Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.
And now, let’s examine each of these in turn.
First, Ensure interoperability between different privacy protection regimes. The EU implemented its General Data Protection Regulation (GDPR) in May 2018, a change EU GDPR.org called “the most important change in data privacy regulation in 20 years”(for a summary see here).
What Cisco recognizes in making this recommendation is that any change the US would make to its privacy protection regime would need to mesh with the EU framework. I’m not going to focus on this point here, but will instead focus on Cisco’s other two points, which concern US domestic privacy law.
Second, Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus. The stated concern – over “fracturing” – merely refers to the cost of having to comply with multiple state regulatory regimes. A recent post in the New Jersey Law Journal, The California Consumer Privacy Act: What You Need to Know, for example, outlines what criteria trigger obligations by businesses outside the state to comply with the new California statute. And my post from yesterday, Illinois Supreme Court Affirms Biometric Privacy Law, Clearing the Way for Lawsuits, discusses one law firm’s assessment of what steps businesses that have employees in Illinois or that operate in the state should consider to avoid liability under the state’s biometric statute.
Cisco’s call to replace this fractured system with a uniform national framework rejects the position Supreme Court Justice Louis Brandeis set out 1932: that states should act as “laboratories of democracy”, assaying their own policy experiments, before the national government acts on an issue. The best recent example of this I can think of is Colorado’s decision to legalize marijuana five years ago. But there are many other such experiments that have been successfully undertaken, and implemented at the state, and city level — some of which — such as California’s emissions framework – that have then been taken up at the national level.
What Cisco and Big Tech especially fear: California’s privacy framework, which comes into effect in 2020. And the concern is not limited to compliance with the provisions of this flagship data protection statute, but also, as I wrote in this December post, Advertising Trade Association Presses for Federal Data Privacy Regulation, a recognition that large companies may have less coercive influence over state legislatures and policymakers than they do at the federal level:
Undoubtedly a huge unmentioned motivating factor, as far as data procurers, users, and brokers are concerned, is that the governments of some states – including California – have not been captured to the same extent as the federal regulatory apparatus. So on occasion, states may either enact meaningful consumer protections, and in some instances, state legal officers actually attempt to enforce them.
I am of course well aware that a certain amount of grandstanding occurs at the state level, but nonetheless, the situation is not nearly as dire as the federal state of play — where the deterioration, I should point out, in public policies even remotely reflecting popular opinion and majority needs, occurred well before Trump was inaugurated.
Third, Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation. This brings us to the heart of the matter. Big US corporations fear lawsuits. The taming of the Justice Department and various regulatory agencies, including the Securities and Exchange Commission and the Environmental Protection Agency, in enforcement matters means that private lawsuits are one of the sole remaining means ordinary people can use to try to redress grievances.
As an aside, I should mention that regular readers know this deterioration is not something that occurred on Trump’s Watch. I’ll spare you a recitation of the litany of citations to previous posts on his immediate predecessor’s failures in this regard, but will be happy to discuss some of them in comments, if there’s interest.
As to lawsuits, I recognise there are huge obstacles to bringing and prevailing in these, especially in class actions. These obstacles have increased, and indeed accelerated, since at least the Clinton administration, as part of a considered campaign in which corporate lobbyists – acting on behalf of potential corporate defendants- have largely prevailed.
Elements include:
- statutory changes, such as the the Private Securities Litigation Reform Act (1995) and the Class Action Fairness Act (2005);
- Supreme Court decisions, including imposing restrictions on punitive damages, upholding mandatory arbitration clauses, and interpreting standing and pleading requirements;
- seating business-friendly friendly judges, which the Trump administration has excelled at, building on previous framework constructed by his predecessors (and not just the Republican ones); and
- funding and pursuing “legal reform” or “tort reform” campaigns, which include financing judicial campaigns, particularly for the highest state courts – where judgeships are often elected positions; and changes to state laws.
What Is To Be Done?
I’m glad to see Cisco espousing the importance of data privacy as a “fundamental human right”– even if this is a mere rhetorical exercise.
I fear, however, once the current Congress considers this issue, that the federal data privacy regime they will enact will be much worse than the current state of play. Corporate Democrats rely too much on tech money for campaign finance to construct a system of tight restrictions, and progressive Democrats have their eyes set on different prizes — Medicare for All, the Green New Deal, tax increases on the wealthiest. Although there are some Republicans who espouse libertarian principles, I think it unlikely that the Trump administration nor many influential Republicans, will take up the challenge of safeguarding our privacy.
I’m not sure the date on the GDPR is right.
Thanks! Fat fingers. Fixed.
In short: a privacy law is a law to grant these companies can play and profit with/from private data at their will.
It wouldn’t be the first law with a misleading name put to it.
Shorter:” We believe that people should be able to lock the front door of their house, but it would be mean to criminals to lock the back door, too…”
This may be somewhat tangential (my apologies, if so) to Jerri-Lynn’s post, but I thought it was disturbing, from Real News Network.
Global Tech Companies Renew Push for Control Over All Data
https://therealnews.com/stories/global-tech-companies-renew-push-for-control-over-all-data
“…there is an effort in the World Trade Organization to launch new negotiations that are being called e-commerce, but really have to do with the future economy, which will be digital. So in the future, all aspects of economic transactions will have a digital component. And the big tech companies are trying to get in place a set of rules that will benefit them. They actually came up with these rules, Google and Amazon and Facebook and Microsoft have an industry association, they propose them to the U.S. Trade Representative and the U.S. has been proposing these ever since.
Now, what are some of the concrete proposals? The number one objective of these companies is to get control of all of the data around the world. So they have it in a provision called Free Flow of Data, and what this would mean was that these companies can come into developing countries, give them market access to developing countries, they would be able to then take all of the data out of those countries, process it into intelligence, and be able to use that. We know that big data sets are the currency of artificial intelligence, and whoever controls AI in their industry in the future is going to be dominant in that industry. So this is really fundamentally about getting control of global data by these big data corporations. And we know also that data is now seen as the world’s most valuable resource, so it’s akin to saying to developing countries, “Let us get control of your most valuable resource before you’re able to even price it or know what the value is. Let us take it for free.”
This:
http://www.wsj.com/articles/SB10001424052702304778304576377141077267316
does warrant some attention.
From the folks that brought you pivot to video…. coming soon to a theater near you.
One must be carefil not to roll back HIPPA’s privacy protections.
Extending HIPPA to cover all data would be a intetesting approach.
We know medi al insuramce Companies would like full unfettered access to all Medical information to provide “custom premiums.”
Roll back HIPAA’s privacy protections? They are merely loopholes that need to be filled!
Read: http://blog.petrieflom.law.harvard.edu/2019/02/07/hipaa-rfi-comments-patient-privacy-rights/
The Office for Civil Rights is soliciting comments on the HIPAA Privacy Rule (due Feb. 12) on specific areas including:
Encouraging information-sharing for treatment and care coordination
Facilitating parental involvement in care
Addressing the opioid crisis and serious mental illness
Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices
https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf
“The stated concern – over “fracturing” – merely refers to the cost of having to comply with multiple state regulatory regimes.”
The stated concern – over fracturing – merely refers to the cost of having to BRIBE multiple state regulatory regimes.
Fixed it.
You got it! While we were asleep, and quietly accepting evey new tech toy we were busy passing our private information to the Tech Boys. Our mission should be roll back and take back what we lost.