Facebook, Google, IBM, and Microsoft have all reportedly “aggressively lobbied” the current administration to start developing a federal privacy mandate. Recently, Cisco joined that chorus of tech giants (“Big Tech”) calling for stronger American privacy laws. Intel has gone a few steps further, drafting its own version of a U.S. privacy bill and opening an online information portal through which it will offer privacy consulting services regarding its proposed law. Though there is both industry and congressional support for regulation, there has yet to emerge a consensus for a framework of said legislation.
A proposed regulation can draw upon elements of existing regulation, including the General Data Protection Regulation (GDPR) and the APEC Cross-Border Privacy Rules (CBPR), as well as impending regulation, such as the California Consumer Privacy Act (CCPA) for guidance. And, because technology becomes quickly outdated, any regulation should focus less on solving for specific problems and more on principles for thinking holistically about programmatic data management and usage across an organization.
Regulate Principles, not Actions
Technology innovation has been accelerating for decades. Advancements are only going to become even more critical across all aspects of business and society moving forward through boosts to the economy and standards of living. Self-driving cars, for example, are likely to improve society by helping people avoid accidents and get to places more efficiently. However, technology innovation can also offer drawbacks.
If the data that self-driving cars generate is breached, or otherwise used maliciously, that can produce unintended negative consequences. The question tech industry regulation must answer is “How can we further technology ecosystem development, while ensuring we have safeguards for when it begins to stop helping make the world a better place?”
In effect, regulation can be the foundation—guiding principles—of a bridge that spans the gap between the benefits technological advancements provide and our trust that those advancements won’t be used in a harmful manner. Core among these guiding principles should be increased transparency, knowledge, and the ability for consumers to make decisions about their data on their own behalf.
Encourage Companies to Engrain Privacy Accountability
Creating guiding principles may be a better approach to regulation in part because regulating actions becomes difficult. Legislation being proposed right now, including the CCPA, is often about rules and enforcement rather than accountability. Organizations can check certain compliance requirements off a list, but they do not necessarily engrain accountability for privacy into their business culture. Regulating guiding principles rather than specific actions can better help introduce accountability into the dialogue to drive business responsibility.
For example, strictly requiring a company to post an online privacy notice to give people the ability to consent or opt out doesn’t get to the heart of the problem: appropriate data use. When appropriate data use isn’t core to a company’s compliance mechanism, it leads to improperly protecting data and makes it more likely that the unintended negative consequences of technology advancement occur.
Turn Companies Into Data Stewards
Regulation should be a data issue, not a compliance issue. Legislation must shift the discussion to how companies handle data. In doing so, new laws can help organizations become responsible data stewards while also maximizing the strategic use of their data. This type of approach can create accountability for senior leaders in the organization.
To encourage engrained privacy practices, any regulation should create accountability requirements. The GDPR requires that companies develop a privacy program and disclose the mechanisms of that program annually. New legislation should require that organizations create a program that involves having internal policies and procedures, internal awareness, an appointed person responsible for managing the program, a way to manage consumer complaints and give feedback to those who have given complaints, corporate oversight with employee training, and more.
A new regulation should require that organizations implement similar privacy programs and report on those programs publicly in documents like annual 10Ks.
Focus on Data Itself to Change the Privacy Paradigm
In the U.S., privacy regulators can learn from other disciplines that have already incorporated similar legislation into their industry’s guidelines. Consider that large industrial organizations must follow certain guidelines to meet environmental requirements. A cross-disciplinary approach can highlight strong regulations that have already been written that might guide privacy legislation.
Above all, the regulation must make the centerpiece responsible data handling in the context of driving the business forward. Too often, legislation gets caught up in language about “consent,” or “online,” when the real risk is in the data itself. Legislation must create principles that encourage an obligation for responsible data management. Only then can the industry drive a different paradigm necessary to protect people and their data.