28 May 2018

The General Data Protection Regulation sets privacy by default

Tom Wheeler

Tom Wheeler served as the 31st Chairman of the Federal Communications Commission from 2013-2017. In a few days, the nations of the European Union take the first step to establish a New Digital World Order when the General Data Protection Regulation (GDPR) goes into effect on May 25. For the first time , government has stepped in on a comprehensive basis to oversee the unregulated collection of personal information through the internet. Unfortunately, it is not the United States of America that is leading the world in protecting personal rights. Instead, the Old World is leading the New World. In an interconnected world, the imposition of rules protecting European citizens will have a trickle-down effect on U.S. citizens. But the birthplace of the internet and the beacon of individual rights should not settle for such spill-over benefits. The GDPR debate about privacy has been going on for almost six years, during which American policymakers have ignored corporate subversion of personal privacy. While their European counterparts wrestled with the issues and resisted a massive lobbying campaign, the U.S. Congress has looked the other way.

Worse than looking the other way, the Trump Administration and Congress repealed the only existing regulations to protect the privacy of American consumers. The Obama-era Federal Communications Commission (FCC) imposed privacy protection obligations on the networks that take consumers to and from the internet, seeing everywhere a person goes and everything they do. The networks and the internet platform companies teamed up to lobby the new Republican government to repeal those protections. Worse yet, they not only repealed the privacy protections, but also told the FCC they could never again require similar protections.

We live in a digital world where corporations control a vast database of personal information that Big Brother would envy. Every day our connected world creates 44 exabytes of new data (an exabyte is one quintillion or 1018 bytes). It is an amount equal to three million Libraries of Congress – collected daily! Reflecting both consumer and industrial data, this astonishing number reflects how anything we do in the digital world creates a data record.

The GDPR is important because the invasion of privacy we have seen thus far is only the first wave of a coming tsunami. The increase in connected consumer services and devices also means an increase in the collection of consumer data and its threat to privacy. According to an IDC study, the average number of daily data-capturing consumer activities is about to increase exponentially with an accompanying surge in the information collected about each of us.

The time is now to come to grips with the explosion of personal data being created, collected and stored. There must be rules about the collection and use of data that tells a story about each of us before it is too late. The GDPR starts to put guardrails on this personal data explosion. It is not perfect, and much remains to be filled in by administrative and judicial decisions – but it is a beginning, a genesis that should embolden, inform, and shame our national leaders. The EU has broken the inertia, and it is time for the U.S. government to move from a laggard to a leader in the protection of the personal privacy of its citizens.

FRAMING THE AMERICAN PRIVACY DISCUSSION

Two over-arching principles should frame the debate about the privacy of Americans. First, personal data is the consumer’s property, parting with that property must be an opt-in decision. Second, privacy should be a forethought rather than an afterthought in the design of digital services.

Under a smokescreen of legalese, the internet companies – both networks and service platforms – siphon, store, and sell the most personal of private information. Our location, our search for information and services, our friends, and our interactions are meticulously collected, logged and packaged for resale. Private information has been transformed into a corporate capital asset.

Before the rise of the internet’s information vultures, data about our life patterns were an ancillary effect of consumption. Combining zip codes with auto registration information, for instance, painted a rough picture of some aspects of our lives. The rise of “free” internet services that track everything we do online changed that granularity. The picture that was painted of each of us moved from cubist-like blocks of information to pointillist precision.

The picture that was painted of each of us moved from cubist-like blocks of information to pointillist precision.

Private information has been transformed from being an asset of the creator, the consumer, to an asset of the collector, the corporation. It was a stealthy transformation hiding behind the façade of “free.” Rectifying this transfer of rights must be a central part of any privacy reforms.

Transforming a personal asset like private information into a corporate asset is 21st century digital feudalism. In feudal times the individual’s labor was a possession of the master. In the digital age, the individual’s personal information has become a possession of the new digital master.

The industrial age saw a switch from feudalistic labor as capital to recognizing labor as an input to a capital-infused process. During the late 19th and early 20th centuries, legislation and collective bargaining protected the rights of working individuals against the power of capital. We now stand at a similar threshold to determine whether the private information of each of us is our asset (i.e., the results of our labor), or the asset of the digital overlords.

The transformation of private information from a personal asset to a corporate asset was the result of early internet investors’ quest for fast returns. Rather than the slow buildup of paying subscribers, the internet ethos was to move fast and grow relationships with consumers by offering everything for “free,” even if that meant losing money early on. Having entrenched themselves with consumers, those relationships were then monetized by exploiting the information collected about each user to target messages from advertisers. It was such a successful model, leading to significant returns, that the logical response was, “If the basic information we’ve collected is valuable, then even more granular information should be even more valuable.”

By design, the internet business model became a violation of privacy. Thus, the second overarching principle of privacy reform must be to reverse that paradigm. Internet networks and platform services must be expected to offer privacy by design.

The GDPR makes a good start at such privacy by design by defining “privacy by default” and “data protection by design.” Rather than a business plan based on how much data can be collected, GDPR asks how much data is needed to provide the specified service. Similarly, GDPR requires the default assumption to be the protection of information rather than today’s default to exploitation of the information.

Such privacy by design is not a revolutionary concept. In 2012, the U.S. Federal Trade Commission (FTC) recommended companies practice the principle, but it was only a suggestion because the FTC lacks the ability to make rules. The GDPR, however, is not a suggestion. Therein lies the heart of the EU’s leadership: while the American government prevaricated with suggestions from the FTC and revocation of FCC regulations, the European Union moved forward to get in front of the tsunami of data collection that is on the horizon.

Personal privacy is rapidly becoming a civil rights issue for the digital age. The Europeans identified the issues and suggested solutions. It is time for the American government to step up and stand up for their citizens’ privacy.

No comments: