Padlock With Keyhole icon in personal data security Illustrates cyber data or information privacy idea. blue color abstract hi speed internet technology.

U.S. Federal Privacy Legislation is Long Overdue

The 2010 decade shook the open web as many countries realized the risks that come with a global and open internet. Public attention to corporate data collection was front and center—massive data breaches, the Cambridge Analytica scandal, Russian use of social media platforms to interfere in Western democratic elections, and other events all underscored just how much data is being collected and analyzed by private companies, often without the knowledge or consent of citizens.

Looking to the next decade, it’s time for the U.S. Congress to pass long overdue federal privacy legislation. The longer American legislators fail to act, the greater the harms become.

First and foremost, privacy legislation is needed to protect civil liberties and consumer rights. U.S.-incorporated companies can collect data on American consumers with typically few to no restrictions, and there are rarely limits on how that data can be sold or used. Government entanglement with these private data collection systems and databases is also growing. The commodification of personal information and the buildout of digital surveillance infrastructures will not slow down or stop without intervention.

To name just a few examples: Russia interfered in the U.S. 2016 election by leveraging social media platforms’ customization algorithms and ad microtargeting services. Data brokerage firms—which comprise a multibillion-dollar industry of repackaging and selling consumer data—sell datasets full of sensitive information, titled everything from “Rural and Barely Making It” to “Ethnic Second-City Strugglers.” Immigrations and Customs Enforcement officials have used information from private data brokers to track down immigrants for arrest. American courts are employing risk assessment algorithms that quickly screen convicts’ profiles and output “risk scores” used to inform prison sentencing—oftentimes, falsely labeling black individuals as higher risk than white individuals, and typically without the judge’s awareness of the algorithm’s bias. These kinds of risk assessment tools are increasingly used in sectors from law enforcement to loan allocation and draw on all kinds of personal information.

All these examples of data collection and use are, or leverage, forms of surveillance. Surveillance always has the worst impact on already oppressed or marginalized groups. The history of surveillance systems in the United States confirms this fact, from the way plantation ledgers were used to track slaves to the monitoring of female suffragists in the 1900s to the constant tracking (and sometimes blackmailing) of civil rights activists in the 1960s and people of color in New York City after 9/11. Other examples abound. The U.S. is a democracy, and democracies should work to counter surveillance-driven oppression. In the case of data collection, counteraction includes regulation on data privacy.

Yet the pressing reasons for U.S. federal privacy legislation don’t end there.

The United States is missing an opportunity to collaboratively lead on global data regulation. Particularly over the past few years, the European Union has become the leading global voice for consumer data protection; its GDPR, or General Data Protection Regulation, is now a global standard referenced by governments building domestic data governance regimes. Beijing looked to GDPR in developing elements of its data rules, and a recent draft of India’s Personal Data Protection Bill has components that ring quite similar to those in GDPR, such as the establishment of adequacy agreements. The Japanese and Indian governments have also become global voices around the regulation of cross-border data flows, such as through their work at last year’s G20. American leadership is not where it could be, at a time when the governance of global data flows is becoming more and more important.

The U.S. should also advance federal data privacy legislation to establish strong domestic, democratic norms around data collection and use. It needs not just to protect its citizens but to send strong global signals about how technology should be governed democratically. The Chinese government—heavily active in promoting its preferred technology norms in bodies like the UN and its preferred technology standards in bodies like the Internet Engineering Task Force—is doing this kind of norm-setting, but not in a democratic fashion. Beijing is building out an enormous domestic surveillance state, using technology to censor speech, spy on citizens, and perpetrate large-scale human rights abuses against Uighur Muslims in Xinjiang.

The Chinese government is also massively investing in diplomatic efforts to increase its political and technological influence around the world; and in many cases, its engagement and investments in certain countries has led to, or at least coincided with, growing digital authoritarianism on the part of those governments. In contrast to this promotion and normalization of digital authoritarianism, American policymakers should champion democratic tech regulation, and that begins with protecting citizens’ rights at home.

Lastly (though this list is certainly not exclusive), the U.S. is also missing an opportunity to make its technology companies more trusted abroad. India, for example, is driving its data protection regime in part due to a perception of “data colonialism”—where western tech companies collect enormous amounts of data on Indian citizens, and those citizens accrue little to no financial benefit. There’s a notable power imbalance that certain government players would like to offset. Several other countries are similarly distrustful of American tech companies (which, if you look at backlash in the U.S. alone around Cambridge Analytica and other scandals, shouldn’t be surprising). Regulating private corporations’ data collection and use could therefore help increase the trustworthiness of U.S.-incorporated companies operating abroad.

This list of reasons for U.S. federal privacy legislation is not comprehensive; there are certainly other reasons for urgency. For example, federal privacy legislation is directly connected to American national security, insofar as Internet of Things privacy lapses have publicly exposed the movements of U.S. military personnel, or as Russia builds off the data collection systems of social media companies to sow discord in American elections. But it should be clear that the need for an American federal privacy law that protects consumers and citizens from unchecked data collection and use is more urgent by the day. Congress would be wise to take action.