By Greg Varner
The data privacy landscape in the United States is enormously messy, thanks in large part to ineffective laws that put the onus on individuals to watch out for themselves.
That was part of the message delivered by Daniel Solove, John Marshall Harlan Research Professor at GW Law, in a keynote speech marking what has been designated “Data Privacy Month” by the GW Privacy Office.
Solove is a leading expert on privacy law. He is the author of several books, including “The Future of Reputation: Gossip and Rumor in the Information Age” and the forthcoming “Breached! Why Data Security Law Fails and How to Improve It” (co-authored with Woodrow Hartzog), to be published next month.
Most internet users have at least a dim awareness that information is being gathered about them at each website they visit, with the end result that a massive amount of data exists in digital form. What happens to that data? What laws protect our personal information? How effective or practical are these laws?
“The answer’s rather complicated,” Solove said, “because there are so many different privacy laws.”
In fact, he said, there are thousands of laws in the United States and around the world. The most comprehensive law is in the European Union (EU), where the General Data Protection Regulation (GDPR) was passed in 2016, going into effect in 2018.
A number of American states have passed broad privacy laws since 2018, but the nation as a whole lacks comprehensive legislation, making the United States an outlier now among large industrialized nations.
Instead of a law on the order of the GDPR, which applies across all industries, Solove said, the United States has many sectoral laws, each targeting particular business sectors. Despite growing awareness of the need for a comprehensive privacy regulation, it is unlikely to be met soon.
“Congress, unfortunately, is unable to change a lightbulb these days,” Solove said.
Cristina Grigore, privacy manager in George Washington University’s Office of Ethics, Compliance and Privacy, served as moderator for the event, presenting questions from those in attendance. Could the creation of the GDPR, one person wondered, serve as a blueprint for collaboration between American states in developing such regulation?
“The GDPR is taking over all around the world as the global standard,” Solove said, adding, “In a way, by not acting, Congress has ceded the regulation of privacy to the EU.”
A side benefit of the regulation is that it provides a model for American privacy officers.
“For a long time,” Solove said, “privacy officers at companies wouldn’t have anything they could go to upper management with and say, ‘We should do this.’ The GDPR is nice because it says ‘You need to do all these things, and if you don’t do them, there’s a big, big penalty.’ Those are the magic words to the upper management.”
Unfortunately, given the complexity of the world of data privacy, the GDPR is very unlikely to be a silver bullet for America’s troubles.
While several privacy laws have been passed, Solove said, they rely on approaches doomed to fail. Though they spell out various rights — to see the data being collected about us, to find out about the purposes for its collection, to correct or delete it and so on — they put an unfair onus on the individual.
“There are thousands of companies that have data about you,” Solove said, “and there’s no way that an individual is going to have the time to find out all this information about what is gathered.”
For example, individuals have a right to correct data, but this places them in the untenable position of being a proofreader for potentially thousands of companies. The situation is aggravated by the fact that data changes every day.
“Companies are gathering information about you every single day,” Solove said. “Do you have to check every week? Every month?”
The solution is in more structural types of regulation, he said. Until such regulation is enacted, the laws mainly pay lip service to admirable principles, but the enforcement of those principles tends to be weak, and penalties amount to a slap on the wrist.
Other questions from attendees addressed whether the Federal Trade Commission might play a role in protecting data privacy; how the data privacy landscape has changed over time; and how individuals might help effect the creation of greater privacy protections.
“It’s important that policy makers know that people care about these issues and will act on them,” Solove said, while cautioning, “The law is deficient. All of the individual efforts are re-arranging deck chairs on the Titanic.”
