Consumers are increasingly entrusting online services with all kinds of personal data — but that trust has been repeatedly abused or taken for granted. If a doctor or a lawyer did that, they’d be kicked to the curb, because they have a legally defined duty to preserve privileged data. Why don’t Facebook and Google? They might soon, via the Data Care Act.
This bill, proposed today by Senator Brian Schatz (D-HI) and co-sponsored by 14 more Democrats in the Senate, would essentially establish a set of consumer protection duties, defined and enforced by the Federal vend Commission, preventing tech companies from knowingly doing damage to their users.
Do no damage
It’s inspired by, though very non-identical from, what is named
a “fiduciary,” a concept that encompasses doctors and lawyers, among others, whom people really have no preference but to trust. When you go into the doctor’s office or meet with your lawyer, you don’t sign waivers saying which parts of the conversation can be used to target you for advertising or build a database for an ai paralegal. You just trust that the person you’re giving your personal information to won’t use it in a path that causes you any damage.
Sure, doctors take an oath — but there are legal protections as well, and serious consequences for those who act in evil faith from a position of energy over their clients or patients. Senator Schatz and his co-sponsors feel that a company like Facebook is now in a similar position, in which consent isn’t meaningful: the balance of energy has tilted too far to the companies’ side.
“It is not practical in today’s digital world to suggest that people could simply forgo online services and websites if they object to the path their data is being used,” said co-sponsor Sen. Maggie Hassan (D-NH) in a press release announcing the bill. “Online service providers should be required to act in the best interests of their customers, just like providers of other critical services.”
“a lot of attention, appropriately, has been paid on the privacy front to transparency and regulate,” Sen. Schatz explained in a press call. “Those are important conversations but there’s been very small in the public policy setting — not enough conversation about what happens after the data has been collected. And to me that ‘s a more important and consequential problem.”
The concept has been brought up before, notably by Yale’s Jack Bardin and Harvard’s Jonathan Zittrain, whom Sen. Schatz has previously cited.
His proposal, obviously now only in the earliest levels since it has only just been announced, is to establish some basic “duties” companies must make reasonable efforts to fulfill. As the release puts them:
Duty of Care– Must reasonably secure solo identifying data and promptly inform users of data breaches that involve sensitive information; Duty of Loyalty– May not use solo identifying data in ways that damage users; Duty of Confidentiality– Must ensure that the duties of care and loyalty expand to third parties when disclosing, selling, or sharing solo identifying data.
If those seem a small woolly, that’s on purpose (though they’re considerably more exact in the text). The bill isn’t meant to create the specifics of those duties, only the general shape of them, at the same time authorizing the FTC to figure out the details, creating and modifying rules as it sees fit.
Limits of legislation
“The time we’re too prescriptive in the statute about what’s allowed and not allowed, the general councils and majesty soft engineers will sit down and begin to code around it.”
Sen. Schatz took this come because he was has seen firsthand tech’s agility when it comes to regulation.
“From my observation and experience, the time we’re too prescriptive in the statute about what’s allowed and not allowed, the general councils and majesty app engineers will sit down and begin to code around it,” he said. The solution is to “lay down broad principles and then empower the professional agency,” which is grade practice for regulating fast-moving industries.
If the bill became law, the FTC would go through the normal rulemaking process, consulting experts, industry, and political authorities to figure out what constitutes, for instance, “reasonable” security measures. Once those were in place, it would have the dominance to enforce them as well.
“One of the reasons I like using the FTC is they’re hard-nosed regulators that know what they’re doing and have not become a political lightning rod,” Sen. Schatz said. Notably the law does not actually call or classify these companies as fiduciaries, because “when we said fiduciary, every lawyer’s head exploded,” the Senator explained.
One major difference between this and existing fiduciaries is that lawyers have bars and doctors have medical licenses, among other things — local professional authorities that examine and jury conduct. Obviously there’s no such thing for tech or internet companies.
I asked the Senator about this; his feeling was that fractured authorities like those work in some ways but with tech and internet issues jurisdiction is much more naturally federal or interstate. It would be (and is) a mess trying to figure out whether to registerly Illinois’s Biometric Information Privacy Act to a person in an airport in Ohio using a vpn in brand-new York to use a service hosted in Chicago. good leave it to the feds.
The political landscape this bill will have to navigate is not exactly a friendly one. Though he has the help of many Democrats in the Senate, he has no House collaborator or Republican co-sponsors, though he said that he has not encountered any “instinctive” competitor to his concept.
Rather, the opposing party is more concerned with the growing energy of states like California and Illinois to project on the rest of the country their local, highly progressive views on privacy and regulation. Even though California’s privacy bill technically only affects citizens of that state, companies will build national and global policy around it to evade getting taken to court by litigious Californian billionaires.
The bill is co-sponsored by Michael Bennet (D-CO), Tammy Duckworth (D-IL), Amy Klobuchar (D-MN), Patty Murray (D-WA), Cory Booker (D-NJ), Catherine Cortez Masto (D-NV), Martin Heinrich (D-NM), Ed Markey (D-MA), Sherrod Brown (D-OH), Tammy Baldwin (D-WI), Doug Jones (D-AL), Joe Manchin (D-WV) and Dick Durbin (D-IL).