Recently, I moderated a PRI Webinar on Cybersecurity, Data Privacy, and Regulation During the Coronavirus Pandemic. It was a fantastic look at the current state of data privacy, the impact of the coronavirus pandemic, and where state and federal regulations on data privacy are headed. If you haven’t seen it yet, I encourage you to watch. If you cannot spare an hour, the following provides a high-level summary of the discussion.
Pacific Research Institute was grateful to gather an impressive panel. Our expert panel was just that: leaders in the field of data privacy and cybersecurity who have offered expert testimony to Congress and federal agencies, worked for the Federal Trade Commission, and helped draft federal laws. The panel included Jim Halpert, partner at global law firm DLA Piper, Steve DelBianco, Executive Director at NetChoice, Dan Caprio, co-founder and executive chairman of The Providence Group, and Bartlett Cleland, Pacific Research Institute Senior Fellow in Tech and Innovation.
One of the key components of data privacy, social media, and the modern internet as we know it today is Section 230 of the Communications Decency Act. Or as DelBianco called it, “the 26 words that created our internet.” Steve is referring to a section of the regulation that says, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information that is provided by another information content provider.”
DelBianco also relayed the bizarre origin of Section 230: a lawsuit in New York between famed brokerage house Stratton Oakmont, of the infamous Wolf of Wall Street movie and Prodigy, Inc., an early online messaging website.
Stratton Oakmont won the court case against Prodigy, Inc., claiming they, as the publisher, were responsible for negative posts and comments from users. But a year after the court case, Congress passed the Communications Decency Act and set the stage of the rise of social media platforms and e-commerce to be free and clear from legal issues due to unruly comments.
Halpert also mentioned that the Trump’s administration recent executive order related to Section 230 was “a shoddy legal interpretation and not the intent of 230.” I should also mention that two of our panelists, Halpert and Cleland, worked on the drafting of the Communications Decency Act as Congressional staffers in the 1990s.
Federal Data Privacy Law
Since Section 230 paved the way for the modern internet, the breakdown of trust between the public and big technology companies is one of the compelling reasons why experts like Dan Caprio are calling for a federal data privacy bill. He said that a forward looking federal digital privacy law could alleviate consumer fear around data collection.
But he also pointed out that the federal data privacy bill debate has lingered in Congress and regulatory agencies for decades, with Europe’s General Data Protection Regulation law in 2018 and the California Consumer Privacy Act acting as catalysts for a national law.
Halpert and Cleland agree that a federal data privacy bill is possible, but regulatory guideposts are necessary to ensure that innovation isn’t crushed, and that the rapid change of technology won’t render a new law meaningless in a couple of years. They highlight one crucial component in the law needs to be flexibility to enforce unforeseen technological changes.
If the principle of Moore’s Law is any guide, a rigid federal data privacy bill could be outdated in two years or less given the rapid expansion of technology.
California Data Privacy Regulations and Impacts
The panel spent a good amount of time discussing the implications for the California Consumer Privacy Act, or CCPA. Panelists mostly agreed that California’s new data privacy law, scheduled to go into effect on July 1, 2020, will have implications beyond the Golden State. As the regulation is written, California’s law is a de facto federal data privacy bill, estimated to impact 500,000 U.S. businesses since it applies to anyone doing business in California.
DelBianco noted the incredible costs of CCPA compliance is estimated at $55 billion. That estimate, provided by the California Office of the Attorney General and state Department of Finance, represents an incredible cost of entry to businesses facing one of the most uncertain economic situations in modern history due to the coronavirus pandemic.
Caprio and Halpert also agreed, saying there was much work left to be done on CCPA and that the cost of compliance was incredible compared to the minimal protections.
Another interesting wrinkle in the California data privacy debate is that a second version of the law, called the California Privacy Rights Act, will likely be submitted and placed before California voters on the November 2020 ballot.
Cleland summarized the strange timing by saying, “So, in a matter of a couple of months, by November, we are looking at saying, to heck with all that [the original CCPA law], here is what we really meant.”
He pointed out that ballot initiative language is much more rigid compared to a bill that goes through the state legislature, calling into question how rigid the ballot initiative could be. The biggest change for this second California privacy law is the formation of a new state agency that will enforce state data privacy laws.
Halpert had an interesting take on the new data privacy regulations in California, guessing that Alastair McTaggart, the backer of both the provisions, is pushing these regulations to urge Congress to act.
The panel offered optimistic closing thoughts. Caprio is hopeful that a bipartisan solution is possible, and that Congress can come together for a federal data privacy bill. Cleland hoped that the critical challenges presented in regulating and understanding data privacy could be addressed without hurting innovation.
Halpert thinks that reducing the patchwork of data privacy regulations will help state and federal leaders come up with solutions that truly work. And DelBianco hopes we can keep the internet safe from free expression and free enterprise, which he thinks will be increasingly difficult in the years to come.
My take hits on a comment Cleland mentioned during the panel; the idea around what privacy really is and how we protect it. Current data privacy regulations are, like Caprio said, looking backward and rely on traditional thinking around reporting.
But one crucial concept to realize about data privacy is we do not own our data, or “virtual self.” Don and Alex Tapscott of the Blockchain Research Institute laid out a compelling case for individual data ownership in a recent Harvard Business Review op-ed.
The Tapscotts argue that regulations like Europe’s General Data Protection Regulation and the California Consumer Privacy Act are a “demand side” of dealing with data privacy by looking at sale and use. The real failure comes from the lack of interest in the “supply side,” like where data originates, who creates it, and who owns it.
We are likely decades away from a system where consumers own their digital identity and much of the argument from the Tapscotts tie into distributed ledger technology, or blockchain.
Hopefully, a federal data privacy is a true bipartisan effort that encourages innovation and expression, protects consumers, and has the thinking to leave room for future changes and innovations in the digital world.
Evan Harris is the media relations and outreach manager for PRI.