The past few years have seen an epic struggle between governments, businesses and individuals for governance of the Internet. The platform, which now pervades every aspect of our daily lives, promises different things to different stakeholders. Governments see it as a driver of economic growth as well as a source of intelligence about competing economies, terrorist threats, domestic law enforcement and, in certain countries, political dissent. Businesses view it as a hotbed for innovation as well as a treasure trove of information about consumer tastes, intentions and behavior. Individuals experience it as an endless source of media, commerce and opportunity, as well as a bedrock of freedom in totalitarian countries.
Last week’s release by the White House of its long-anticipated Consumer Privacy Bill of Rights Act (CPBR), together with the historic decision by the Federal Communication Commission (FCC) to classify Internet service providers as public utilities, are the latest attempt by the U.S. government to tame the online beast. In both cases, government sides with individual consumers trying to rebalance a playing field that many view as tilted in favor of a consolidated corporate power. In this sense, I have recently written that privacy is the new antitrust. The role that antitrust played in the wake of the Industrial Revolution is being captured by privacy in the Digital Age. Privacy has become the boundary, the limiting principle, the litmus test for the delicate balance between the tremendous benefits and formidable risks of a dizzying array of technological innovations.
To be sure, given the current partisan environment on the Hill, the CPBR will not see the light of day in Congress. Yet the Obama administration has sown the seeds for a dramatic policy shift, which will no doubt reemerge if and when the balance of power on Pennsylvania Avenue changes. Today, the Federal Trade Commission (FTC), already the most powerful privacy regulator in the world, is armed with a slingshot. It has interpreted its authority under Section 5 of the FTC Act to enforce against “unfair or deceptive acts or practices,” which dates back to the 1930s, judiciously, incrementally—some think overcautiously. By comparison, the CPBR would provide the FTC with a military-grade automatic weapon. It would empower the agency to effect a sea change in entire swaths of the data economy that have thus far been sparsely regulated.
The legislative proposal is rife with charged concepts, complex definitions and contentious principles. Its definitions of personal data (including unique device IDs), de-identification (“data could not be linked as a practical matter to a specific individual or device”) and privacy risk (including emotional distress) will spawn a torrent of academic and practical controversy. Its definition of context (context!) is a strikingly ambitious attempt to impose rigor on a notion that has so far been the subject of fleeting intuitions. Its embrace of a right to delete and introduction of a new governance institution, a Privacy Review Board, is path-breaking.
Some may argue that similar legislation has already existed for two decades in Europe with little impact on online growth and innovation. Indeed, the 1995 Data Protection Directive, which is now being revised in yet another face-off between government and business, has had little impact on the Internet. Yet it is an open secret that the Data Protection Directive has traditionally not been enforced, accounting for a gaping void between “privacy on the books and on the ground.” The combination of tough, principles-based privacy law with a U.S. culture of compliance and enforcement has profound implications for the development of the Internet and its growth trajectory. Similarly, the FCC’s decision to subject online service providers to the staunch privacy provisions of Section 222 of the Communications Act could have significant economic impact, as the provision of online services is no longer the domain of just cable and phone companies but also a complex mobile ecosystem morphing into an Internet of Things.
Anyone interested in these fascinating social, technology and economic policy developments will feel like a kid in a candy store at this week’s IAPP Global Privacy Summit. Whether you attend a session in which the White House presents the CPBR; the FTC and FCC debate regulatory and enforcement trends with European regulators, or the European Commission defends the right to be forgotten, you will experience and meet firsthand the forces behind these fateful discussions.
While the CPBR is unlikely to be the mechanism by which the Internet is brought to heel, we are unquestionably seeing an increase in the sophistication of the attempt.
Photo credit: சல்லிகட்டு - The Bull Taming Sport @ Palamedu, Tamilnadu via photopin (license)
If you want to comment on this post, you need to login.