Throughout his career, Eric Null’s work has touched on privacy in a variety of ways — from basic concepts like consent mechanisms, to children’s protections, to legislative work toward comprehensive privacy legislation.
Now, through his role as director of the Center for Democracy and Technology’s Privacy and Data Project, Null has an opportunity to “really dig deep” specifically into privacy work, and he couldn’t be more excited.
“What an incredible opportunity to focus on privacy and get into the issues, get into the nuances, which is something I’ve really wanted to do,” said Null, who was appointed to the role in late January. “And obviously getting to work with an amazing team of people, not just the privacy and data team, but the broader CDT team. They are already challenging me to think better, be better and be clearer. I’m really grateful to them for that already.”
Null joins CDT from Access Now, an international human rights organization where he oversaw technology and digital rights policy in the U.S., particularly around data protection and content moderation. He had previously focused on privacy and connectivity as senior policy counsel at New America’s Open Technology Institute, including work around comprehensive privacy legislation, and served as senior staff attorney at the Institute for Public Representation at Georgetown Law School, where he gained experience in areas of children’s privacy.
The Center for Democracy and Technology, based in Washington, D.C., and Brussels, Belgium, works toward solutions for today’s technology policy challenges. For the privacy and data team, Null said that work is wide-ranging.
The COVID-19 pandemic has led CDT to shine a light on student privacy and health care data. CDT recently released a guide on protecting student privacy while using school-issued devices like laptops and tablets, including recommended steps to wipe data from devices. In February, CDT and Executives for Health Innovation released the second phase of the “Consumer Privacy Framework for Health Data,” in response to concerns over the use of unprotected health data in the absence of federal privacy legislation. The framework sets standards around collection, disclosure and use of health data not protected by the Health Insurance Portability and Accountability Act.
With the pandemic raising questions and challenges around work-from-home and employee surveillance — as some companies have turned to tracking software to monitor employee productivity — Null said employee privacy has also been an area of focus for the team. When it comes to employee monitoring, he said CDT is closely watching potential bias of artificial intelligence technologies. For example, employees who stand and walk around while on a phone call may be accused of walking away from their desk and not working, or an employee using a wheelchair may take longer to use the restroom than a program’s set time allowance.
“For someone with disabilities that could be prohibitive,” Null said. “There’s a wide variety for really problematic practices as it relates to disability.”
The organization is also working to ensure online data collection and use practices don’t discriminate against a person based on a protected characteristic, something CDT advocates for as part of its long-term goal to see a comprehensive privacy law passed at the federal level.
“That’s the optimal approach,” Null said, of federal legislation. “Of course, there are multiple different approaches we are seeing play out. We’re seeing bills passed at the state level. I think a lot of state representatives have their heart in the right place, but there’s so much lobbying that happens at the state level that it’s really hard for them to get the strong protections that we want. It’s a bit more possible at the federal level.”
If a federal law included strong privacy protections, particularly in the areas of civil rights and data minimization, Null said “we can actually make a real difference.”
“Certainly, data minimization is one of the core principles to reduce the overall collection of data, civil rights protections are obviously very key, and provisions for health and workers would be helpful,” he said. “User rights, the ability to access, delete, port and correct data would be useful. I think those are all important user rights to allow people who are actively monitoring the data they are putting out into the world to be able to have some options over it.”
Significant progress has been made toward “something that could be a bipartisan privacy law,” Null said. “Obviously, we’re always going to wrangle over the super details of it, but I think both sides have made strides toward getting closer to an agreement and that’s the point where we’re at,” he said.
The privacy field is complex, and Null said he’s been drawn in by that complexity along with the “difficulty” of challenges presented in today’s digital world and the “necessity of the solution.”
“It’s such a complex problem with so many different variables and so many tradeoffs. There’s a real opportunity to get into the nuance of the issues,” he said. “You have to be oriented toward a solution to the problem, which in my view, is this obsession with collection and processing of every piece of data possible. And so, trying to find a solution that actually solves that problem is really difficult while taking into account so many different variables and so many different industries.”
Moving forward, Null said CDT’s data and privacy team will continue advocating for federal privacy legislation and working to find ways to “meaningfully protect people.”
“Reduce the amount of data collected about them, and give people an actual sense of privacy online, which I think has been lacking over the last 15 years,” he said.
Photo by Ales Nesetril on Unsplash
