Data access: An unprotected human right
As the digital world significantly grows, user data has become more accessible for businesses to collect for their own use. In April, Facebook brought this issue to light when the company harvested the data of 87 million users and sold it to Cambridge Analytica.
This scandal isn’t the first incident, but has raised question as to whether the United States is doing enough to protect users’ rights.
“Data protection is itself a right. It’s not a right that’s recognized in every single document,” Amie Stepanovich, a US Policy Manager at Access Now in Washington DC said at the EF Hutton Talks Conference Series held on Monday, June 25.
Currently, the European Union recognizes data privacy as a human right and on May 25th , introduced its newest privacy law called GDPR (General Data Protection Regulation). The law makes certain that users consent to how and whom that their data will be collected. Companies will no longer be allowed to force users into agreeing to their policies and they must provide a clear explanation of data collection and why it’s being collected.
However, the US has no federal data protection law. Sector specific laws exist, such as HIPPA (Health Insurance Portability and Accountability Act) and FERPA (Family Education Rights and Privacy Act), and the Federal Trade Commission Act that requires businesses to inform users when their data is transferred to a third party. Lastly, there’s state specific laws. According to Stepanovich, the lack of federal protection is where the issue lies.
“From our perspective, this has driven companies towards collecting data before they’ve even figured out what their business model is going to be,” Stepanovich said. “They default to data collection as a business model when they don’t necessarily have to,” she continued. “This generally results in policies that are less responsible, unsecure and not connected to an actual reason or basis for collecting data.” According to Access Now, the following five bills have been introduced to congress to be implemented or revived:
Consumer Privacy Protection Act: This law would create privacy and data
security programs, in addition to risk assessments and privacy and security
testing. The FTC will also be granted more authority to allow Attorney Generals
BROWSER Act (Balancing the Rights of Web Surfers Equally and
CONSENT Act (Customer Online Notification for Stopping Edge-provider
Network Transgressions): The FTC would have to communicate privacy rules
to edge providers within a year, which would require notification requirements for using, collecting and transmitting data, as well as to whom the data is sold and protection of that user’s data. There would also be an opt-in consent for the transmission, use and sale of sensitive material.
MY DATA Act of 2017 (Managing Your Data Against Telecom Abuses Act):
This bill states that it’s unlawful for an edge or broadband provider ‘to use an unfair or deceptive act or practice relating to privacy or data security.’
Secure and Protect American’s Data Act: The FTC would have to
communicate regulations on collection of personal data, as well as the access,
retention and destruction of personal information.
As these bills are introduced to congress, it’s unclear if or when we will have a federal law.
“We’re not really protecting people’s rights and as such, it’s Access Now’s point of view that this situation is really not sustainable,” Stepanovich said.