American GDPR? The GAO’s Case For A Consolidated Internet Privacy Law
Remember Cambridge Analytica? You should, because they remember you! That particular breach spurred the US Government Accountability Office (GAO) to conduct a sixteen month review of the current state of Internet privacy in America. They concluded what we all knew but they were able to officially state on the record to Congress: that the US has no consolidated Internet privacy statute. Their recommendation: we need one!
The GAO publicly released their report (spurred by the loss of 87 million Facebook users’ personal data) two days ago on February 13th. If you happen to look at the publication date it reads January 15th but you’re not a month behind the power curve: the GAO gives some stakeholders a chance to digest the results and recommendations before it goes public.
The report’s main recommendation was that “Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.” Currently Federal Internet privacy is covered by a patchwork of regulations from the Children’s Online Privacy Protection Act (COPPA) overseen by the Federal Trade Commission (FTC) to the Health Insurance Portability and Accountability Act (HIPAA) which is overseen by the Department of Health and Human Services. The takeaway, the current state of affairs includes both gaps and limitations.
Stakeholders interviewed by the GAO had some creative suggestions on how to solve the current gaps and problems. For example, the FTC is authorized to take action against companies that act under “unfair and deceptive” practices but some stakeholders suggested that Congress might develop an entirely new office to enforce privacy outside the of the FTC which would authorize a different standard. Stakeholders suggested that a consolidated framework would also allow either the FTC (or new entity) to take proactive action instead of waiting for a complaint to conduct a review. Most agreed that any new legislation should effectively balance the need to collect and use data with the consumer’s right for privacy. They expressed concerns that any new framework should be flexible and technology-neutral which would help continue to promote innovation.
Ultimately, the GAO suggested comprehensive legislation and posed three primary areas for consideration. First, they suggested Congress figure out who is in charge of Internet privacy. FTC, FCC, another office, or a new office. Second, they need to outline the specific authorities that the office in charge has. This include the ability to make rules similar to how OSHA develops workplace safety rules. Third, how to balance consumer’s Internet privacy needs with the industry’s need to innovate. I think it’s important to remember that the GAO can only make suggestions to Congress. It will be interesting to see where, if anywhere, Congress heads with the information and suggestions in the report.
The GAO was created in 1921, works directly for Congress, and aims to “improve accountability by alerting policymakers and the public to emerging problems throughout government.” Honestly, they write some really interesting reports like the one on the Equifax breach which I wrote about and its lessons learned and this one on building integrated information technology teams.