Senate Privacy and the consumer

Obviously this is timely due to the Cambridge Analytica/Facebook thing. But, also, it's been happening for some time in the background, and you may not be aware. The EU passed a sweeping set of privacy laws called the GDPR, or General Data Protection Regulation. Australia saw amendments to the 1988 Privacy Act take effect on 22 February, creating a more consumer-centric threshold for reporting privacy breaches to the privacy commissioner; and a range of penalties for entitled captured by our privacy regime for non-compliance including fines, class actions, and public censure.

This piece from The Economist is a good starting point:

America should borrow from Europe’s data-privacy law

The GDPR’s premise, that consumers should be in charge of their own personal data, is the right one


print-edition icon Print edition | Leaders
Apr 5th 2018

AMERICA rarely looks to the bureaucrats of Brussels for guidance. Commercial freedom appeals more than dirigisme. But when it comes to data privacy, the case for copying the best bits of the European Union’s approach is compelling.

The General Data Protection Regulation (GDPR) is due to come into force next month. It is rules-heavy and has its flaws, but its premise that consumers should be in charge of their personal data is the right one. The law lets users gain access to, and to correct, information that firms hold on them. It gives consumers the right to transfer their data to another organisation. It requires companies to define how they keep data secure. And it lets regulators levy big fines if firms break the rules.

America has enacted privacy rules in areas such as health care. But it has never passed an overarching data-protection law. The latest attempt, the Consumer Privacy Bill of Rights, introduced in 2012 by the Obama administration, died a slow death in Congress. The GDPR should inspire another try.

The failings of America’s self-regulatory approach are becoming clearer by the week. Large parts of the online economy are fuelled by data that consumers spray around without thought. Companies’ arcane privacy policies obfuscate what they do with their users’ information, which often amounts to pretty much anything they please. Facebook is embroiled in crisis after news that data on 87m users had been passed to a political-campaign firm. Identity-theft is widespread; the annual cost to American consumers exceeds $16bn, according to some estimates. On March 29th Under Armour, a clothing brand, said that hackers had gained access to information about 150m users of its MyFitnessPal app.

These scandals are changing the calculus about the benefits of self-regulation. Opponents of privacy legislation have long argued that the imposition of rules would keep technology companies from innovating. Yet as trust leaches out of the system, innovation is likely to suffer. If consumers fret about what smartphone apps may do with their data, fewer new offerings will take off—especially in artificial intelligence. It emerged this week that Grindr, a dating app aimed at gay people, had been sharing details of users’ HIV status with other firms. Tim Cook, the chief executive of Apple (which, admittedly, has sold itself on the idea that its customers’ data should not be a source of profit), has called privacy a “human right”. Even Mark Zuckerberg, Facebook’s boss, has signalled an openness to regulation. It is striking that many of the firms preparing for the GDPR’s arrival in Europe enthuse that the law has forced them to put their data house in order (see article).

The need to minimise legal fragmentation only adds to the case for America to adopt bits of the GDPR. One reason behind the new rules in the EU was to harmonise data-protection laws so that firms can do business across Europe more easily. America is moving in the opposite direction. States that have detected a need for greater privacy are drafting their own laws. California, for instance, has pending legislation that would establish a data-protection authority to regulate how the state’s big tech firms use Californians’ personal data.

Internationally, too, America is increasingly an outlier. Any American firm that serves European customers will soon have no choice but to comply with the GDPR; some firms plan to employ the rules worldwide. Other countries are adopting GDPR-style laws. A similar regime on both sides of the Atlantic would help keep data flowing across borders. The alternative, of a regulatory patchwork, would make it harder for the West to amass a shared stock of AI training data to rival China’s.

Putting the personal into data

America need not adopt the GDPR wholesale. The legislation is far from perfect. At nearly 100 articles long, it is too complex and tries to achieve too many things. The compliance costs for smaller firms, in particular, look burdensome. In addition, parts of the GDPR are out of step with America’s constitutional guarantee of free speech: a “right to be forgotten” of the kind that the new law enshrines will not fly.

But these are arguments for using the GDPR as a template, not for ignoring the issue of data protection. If America continues on today’s path, it will fail to protect the privacy of its citizens and long-term health of its firms. America’s data economy has thrived so far with hardly any rules. That era is over.​

So, do you agree with the article? Or with the opponents of regulation who argue it stifles innovation? Is the GDPR the way you think countries should go?

 

I've recently written a research piece on the February amendments as part of my internship.

I found myself liking the Privacy Amendment (Notifiable Data Breaches) Act 2017 because it succinctly and clearly outlines:

· What constitutes a data breach
· The requirements to notify the Commissioner of the data breach
· The requirements to notify the individuals who are harmed by the data breach

Yes, we are in the digital age but not all generations who live in this age are competent and/or competent with digital technology. In turn, many may not be aware of the ways in which their personal information is collated, used and (potentially) disseminated with third parties.

I also believe this document is especially worthy when read in conjunction with the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which discusses the concept of reasonable necessity when collecting information.

Could laws like the ones i've named, or the GDPR, operate in a nation like America who safeguard their right to free speech? Probably not.

Remember, this is the nation where a cigarette smoking company successfully thwarted Legislation enforcing plain packaging for cigarettes on the basis that it prevented cigarette companies from openly advertising their brands.

GDPR is absolutely worthy and I think Australia's recent amendments, along with the 2012 Privacy Amendment, is a worthy model.

Question: does the 2010 Australian Consumer Law, with respect to misleading and deceptive conduct, provide additional protection to the consumer if the business in question promises safe and ethical storage and management of their personal data?

 

I think what is currently being faced is a great example of technology outpacing process. Every major industry had its roots in self regulation only for those industries to later grow to where the behavior of those industries needed to be codified; from banking all way through medication production.

This will end up having to go the same way sooner rather than later. The whole Cambridge/Facebook thing may very well be the catalyst and will in hindsight serve to validate at least the need or intent of the failed US efforts to do so.

 

Just heard this on the news and my jaw dropped .

https://www.independent.co.uk/life-...o-me-facebook-phone-talking-ads-a8300246.html

we really have arrived at 1984 . And people are just going along with it .

.

 

My wife and I had a discussion about this more than a month ago, and both of us concluded that the U.S. should pass its own GDPR in close alliance with the EU regulations.

GDPR compliance is already a concern for many U.S. organizations/companies. My wife has needed to figure out how GDPR affects the international components of her own business. I think in general the number of major U.S. corporations that have had to undertake GDPR compliance programs is extensive enough to warrant all by itself a general U.S. adoption of the the core parts of GDPR, just to put everyone on the same playing field. It will provide a uniform regulatory framework for everyone moving forward. Also, it's good for U.S. consumers, which I should have put at the top of the list.

 

I would agree, Rylo, and it seems that the kind of far-reaching impacts owe, in part, their genesis to FATCA in terms of forcing compliance on people outside the territorial jurisdiction.

I get that you could mount an argument which says people should have been more judicious with their data on Facebook etc, to ensure anything they put up would be fine to go public. But that argument takes away responsibility from the parties who produce the platforms and therefore have insights to the behind-the-curtain analytics etc. There is a role for companies to play as gatekeepers, and in the US, the anti-regulation, ultra lassiez-faire mindset seems to balk at this suggestion. Hence why there's no counterpart privacy regulations in the US relative to the EU et al.

And I mean, the Facebook/Cambridge Analytica thing is bad, but I've not seen as much anger directed at Grindr for sharing HIV status data outside of the app...

 

The really big players are all going to have to comply with GDPR anyway to some extent, not to mention some really small players, like my wife. In the spirit of trade war, I can almost imagine some kind of reactionary and absurd Republican/Trump effort to pass legislation that would ban companies headquartered in the U.S. from complying with GDPR.

 

Yes, but we have had to do this with Sarbannes-Oxley and FATCA, so fair is fair.

But I mean, the EU's position I think is the right one. I've been doing a lot of work on regulatory compliance with privacy in the recent months, including the GDPR, and it's been interesting to see how stakeholders react. We're facing what someone like you would probably consider an embarrassment of riches - we have actual compliance fatigue at the moment, just due to all the regulation and continued regulatory/Parliamentary oversight. So things like privacy, which if you boil it down is a matter of trust with your client/customer base, should be an easy win. But it requires investment in training and systems, and that promotes groans and complaints of stretched SMEs...

Anyway, I thought the comparison would be interesting, between people who are just constantly doing regulatory compliance and the US.

 

My legal group have had recent discussions about user privacy and the GDPR. Not so much about general regulations thereof, but and the specifically transparency. One of our European colleague circulated this article from London based lawfirm, Ashurst, regarding transparency, which notes:

Having worked in IP litigation in Silicon Valley and now in-house for tech company, it was no surprise to me that Facebook was sharing user data with a third party, given that the terms of privacy and user data is expressed in the "terms of conditions" to the users upon registering with the social media. So, I think FPNs are described above goes along way to educate users regarding their privacy and personal data. Additionally, how to change those setting in the social network. Supposedly, Facebook was to send notices out to their users to express as much.

 

Thanks for that SSP, it was a good read.

What's your take on the anti-regulation position? Pervasive in the American mindset? The prevailing view here is that American privacy regulations are probably the weakest and far too pro-company than pro-consumer - but that's an outside view, of course.

 

Well in light of the Facebook/Cambridge Analytica scandal, tech companies in America are definitely looking inwards at their own terms of conditions and how the manage their users' data. And your outside view of American privacy regulations are on point, in that there are more pro-company than pro-consumer, as your well know the American economic and political system is based on capitalism. Which, of course, is the principle that an individual or entity should be able to benefit and profit from their ideas, goods or services, and thus, any rules or regulations imposed by the government that impede, interferes or infringes on the abilities to maximize profit or benefits will be met with resistance. Thus, anytime there's a Republican controlled congress there are numerous efforts for deregulations the affect business revenues.

As for Facebook and other social media, search engines and other web based entities, the American general public doesn't often realize they're dealing with for profit private corporations and are far too trusting and naive in protecting themselves. Moreover, the American general public often doesn't consider the consequences for sharing personal information as mostly everyone is mining for "likes" on the internet; i.e. their moments of validations, fame or other types of affirmation. And or course, most other people just want to connect with others (i.e. friends, family, etc) over social media and don't really think about the corporation gathering and storing the personal data for usage. I tend to think that most Americans view social media as a free and government controlled public service. And thus the reason why it's surprising to the general public to learn about the Facebook scandal.

Therefore, personally, I'm in favor of certain kind of regulations and transparency. I mean, the "terms and conditions" that users are "required" to read and agree to when registering with a private social media corporation are so lengthy and technical most people just skip and scroll to the part where is says "by clicking this you are agreeing the terms and conditions... blah, blah." And even if people read the terms and conditions, it's typically too technical and filled with legal jargon for a layperson to fully understand what they're agree to. And as such, I'm pro-consumer. There has to be a level playing field of understanding and disclosure. And especially if the U.S. is to adopt a type of GDPR regulations. The American consumers will need to be explained their rights and obligations in a short and concise understandable fashion for the layman.

 

Do you guys have much in the way of unfair contracts legislation in the US?

 

No. There are no federal regulations regarding the practice of "unfair contracts." Some states might have sometime of legislation to protect the consumer, but in California there isn't. The consumers must always enter a contract with the caveat of "buyer beware."

So, in the absence of "unfair contracts" negotiations of terms and provisions in a contract in the US favors those with leverage.

However, the courts does allow for remedies for "extremely" one sided contracts, which is commonly referred to as "adhesion contracts" (aka "take it or leave it" contracts) in the US. But these cases are hard to win as the consumer must prove to the court they did not read or fully understand specific provision(s) that were "unfair" to the consumer.

Here's an article from the Cornell School of Law that will better explain "Adhesion contracts" than myself:

 

So basically, the whole caveat emptor thing which we all abandoned decades ago still drives consumer law in the US? JFC. I find new ways to be surprised at the time warp. I am assuming therefore caveat lector applies for EULAs and similar terms of use, which are designed to be impenetrable, dense, and unread by the consumer.

Until that shifts, how can the US reasonably adopt a forward-looking privacy law?

 

My Spidey-sense is telling me you're being rhetorical.

However, I'll still answer the question.

As noted above, the capitalistic nature of the US economy and business practices favor those with leverage and typically allows those to benefit as such. And in the face of potential governmental regulations, historically, the industries tends to police itself before the government does, such are the cases with comic book industry and the "Comic Code Authority" and the movie industry with the MPAA film "Rating System."

Today, Yahoo/Verizon has taken a step with transparency with their "End User License Agreement" and offer this notice regarding privacy and how they "collect and use data."

 

Oh look, American companies being terrible:

https://www.theguardian.com/technol...sers-out-of-reach-of-new-european-privacy-law

Facebook moves 1.5bn users out of reach of new European privacy law

Company moves responsibility for users from Ireland to the US where privacy laws are less strict

Alex Hern

A lit sign at the entrance to Facebook’s corporate headquarters in Menlo Park, California. Photograph: Josh Edelson/AFP/Getty Images

Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally.

In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law.

The move is due to come into effect shortly before General Data Protection Regulation (GDPR) comes into force in Europe on 25 May. Facebook is liable under GDPR for fines of up to 4% of its global turnover – around $1.6bn – if it breaks the new data protection rules.

The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. Earlier this month, when asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he said.

A week later, during his hearings in front of the US Congress, Zuckerberg was again asked if he would promise that GDPR’s protections would apply to all Facebook users. His answer was affirmative – but only referred to GDPR “controls”, rather than “protections”. Worldwide, Facebook has rolled out a suite of tools to let users exercise their rights under GDPR, such as downloading and deleting data, and the company’s new consent-gathering controls are similarly universal.

Facebook told Reuters “we apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland”. It said the change was only carried out “because EU law requires specific language” in mandated privacy notices, which US law does not.

In a statement to the Guardian, it added: “We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”

Privacy researcher Lukasz Olejnik disagreed, noting that the change carried large ramifications for the affected users. “Moving around one and a half billion users into other jurisdictions is not a simple copy-and-paste exercise,” he said.

“This is a major and unprecedented change in the data privacy landscape. The change will amount to the reduction of privacy guarantees and the rights of users, with a number of ramifications, notably for for consent requirements. Users will clearly lose some existing rights, as US standards are lower than those in Europe.

“Data protection authorities from the countries of the affected users, such as New Zealand and Australia, may want to reassess this situation and analyse the situation. Even if their data privacy regulators are less rapid than those in Europe, this event is giving them a chance to act. Although it is unclear how active they will choose to be, the global privacy regulation landscape is changing, with countries in the world refining their approach. Europe is clearly on the forefront of this competition, but we should expect other countries to eventually catch up.”

Facebook also said the change did not carry tax implications. That means users will exist in a state of legal superposition: for tax purposes, Facebook will continue to book their revenue through Facebook’s Irish office, but for privacy protections, they will deal with the company’s headquarters in California.

The company follows other US multinationals in the switch. LinkedIn, for instance, is to move its own non-EU users to its US branch on 8 May. “We’ve simply streamlined the contract location to ensure all members understand the LinkedIn entity responsible for their personal data,” it told Reuters.