The European Union’s new privacy law, the General Data Protection Regulation (GDPR), went into effect on May 25, 2018. Since then, a number of privacy advocates have called for the United States to follow suit and pass its own comprehensive data protection legislation that meets or exceeds the standards in the GDPR. Yet critics of the GDPR maintain that these regulations would impose significant costs on the economy and degrade the consumer experience online. Pressure is mounting for lawmakers to take a position, and the Trump administration is considering its own set of privacy principles that it may send to Congress.
ITIF held a no-holds-barred debate about what the future of U.S. privacy law should look like, moderated by Axios Managing Editor Kim Hart. Kim began the event by giving a brief overview of the GDPR and introducing the panelists.
The privacy regulation proponents gave their opening statements first. Justin Brookman, Director of Consumer Privacy and Technology Policy at Consumer's Union, stated that many Internet policy organizations recognize that the United States needs some sort of online privacy regulations. He argued that companies don’t write clear privacy policies for their consumers and any American privacy regulation should address this reality. He argued that potential privacy regulation should contain transparency and provide consumers with information on where their data is going. Brookman suggested that consumers don’t have confidence in companies maintaining data and that regulators should create privacy regulation to build trust. He claimed that companies will use consumers data to track and leverage consumer data in increasingly invasive ways, and he argued that privacy regulation can help prevent that. He argued that the Federal Trade Commission should receive more money and staff to implement any privacy regulation passed by the Federal Government.
Will Rinehart, Director of Technology and Innovation Policy at American Action Forum, spoke in rebuttal. He argued that the GDPR stifles startups and that the affirmative information collection doesn’t help consumers. He argued that the GDPR’s fines are too harsh, especially for companies that don’t yet understand the law. He predicted that the GDPR will increase companies’ spending regulation compliance, and those companies will pass the additional cost onto consumers. He did admit that there might be some need for privacy regulation in a limited aspect, but he argued that the U.S. should not look to the GDPR as a model for any privacy regulation.
Amie Stepanovich, U.S. Policy Manager at Access Now, spoke next. She stated that her organization supported the GDPR in Europe, but she does not think that the U.S. should copy and paste that legislation into American law. But, she does think that privacy regulation needs to happen in the U.S. otherwise the U.S. will be left behind other countries in data protection. She argued that privacy regulation will help protect against future technology abuse because regulators could write privacy regulation to protect essential values like consent. She believes that regulators should create privacy regulation soon because it will enable future innovators to tailor their products to those regulations rather than spending money to comply in the future.
Daniel Castro, Vice President at the Information Technology and Innovation Foundation, spoke next. He argued that regulators should not create privacy regulation as broad as the GDPR. He argued that privacy regulation should not burden innovators and companies with compliance costs, and the GDPR’s regulatory compliance costs are too much for affected companies. He predicted that the GDPR will raise costs for consumers, and he suggests that regulators ask whether consumers are willing to pay for privacy. He says that studies show most consumers don’t want to pay for privacy. He argued that regulators need to examine any opt-in component of privacy regulation, because opt-in legislation in the GDPR is too onerous for consumers and companies. Daniel said that he doesn't want regulators to put an unneeded burden on companies and innovators.
Kim began the Q&A portion of the event. She asked the panelists if the federal government should take a narrow approach to privacy regulation. Amy stated that she would like to see broad regulation, because any regulation needs to affect multiple sectors of the economy. Justin said that any privacy regulation is better than what the U.S. currently has, but he doesn’t see a reason to narrowly tailor any future privacy regulation.
Kim then asked if transparency could be the first step to create privacy regulation. Daniel responded that transparency is an important value, but he thinks that regulators should write privacy regulation to avoid California privacy law or the GDPR becoming the law of the world. Will then argued that the GDPR arrived at the right time to have this conversation. He said that regulators should consider that America has different values than Europe. Amy then said that the Facebook-Cambridge incident proves that regulators should pass transparency legislation because Facebook would’ve continued their data sharing practices.
Overall, the group agreed that replicating the GDPR exactly would be the wrong direction for the United States. The right direction, however, remains to be determined.