Does the U.S. Need a GDPR-Like ‘Data Bill of Rights’?

Does the U.S. tech industry need the equivalent of the European Union’s GDPR, stringently regulating how companies can store and use customer data?

Ro Khanna, a U.S. Representative in California (D-CA 17th district), recently consulted with prominent members of the tech industry (including Tim Berners-Lee and Nicole Wong) and came up with a “Bill of Rights for the internet,” as Kara Swisher called it in a New York Times op-ed.

Here’s that list:

You should have the right:

(1) to have access to and knowledge of all collection and uses of personal data by companies;

(2) to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;

(3) where context appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;

(4) to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;

(5) to move all personal data from one network to the next;

(6) to access and use the internet without internet service providers blocking, throttling, engaging in paid prioritization or otherwise unfairly favoring content, applications, services or devices;

(7) to internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;

(8) to have access to multiple viable, affordable internet platforms, services and providers with clear and transparent pricing;

(9) not to be unfairly discriminated against or exploited based on your personal data; and

(10) to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.

It’s easy to see why this list, if implemented, would prove a very good thing for consumers. In this era of widespread data breaches, who wouldn’t want to know when someone hacked their personal information? In a similar vein, many consumers would like the ability to vaporize their data instantly, if and when they wanted to.

For companies, however, a “Bill of Rights” like this is more problematic. Many firms, of course, make a lot of money off consumer data, and it’s in their interest to keep as much of that data as possible on their respective platforms. The key to that stasis, of course, is making it as difficult as possible to delete and/or move data from one service to another.

There’s also the small matter of Provision 6 on this list. The prospect of companies throttling data (or engaging in paid prioritization) is at the center of the current net neutrality debate, and it’s clear how the FCC currently leans on the issue. In case you haven’t been following the news, the federal government plans on suing California over the latter’s attempt to enforce net neutrality within state borders. This part of a “Bill of Rights” wouldn’t fly, at least during the current administration.

For companies big and small, instituting the items on this list would also require a massive re-architecting of backend systems, databases, and even front-end UX. When the EU instituted GDPR, some tech companies backed out of Europe entirely rather than deal with the new rules; if something similar were made law in the U.S., chances are good that you’d see a rush of shutdowns, with some companies opting to dissolve rather than handle data differently.

For tech pros everywhere, whether independent or part of a larger company, debates like this are a good thing to keep your eye on. You never know when new data governance might pass, requiring you to radically change how you treat data. But hey, your customers will likely love having tighter control over their information.

Related

One Response to “Does the U.S. Need a GDPR-Like ‘Data Bill of Rights’?”

  1. They should have something in the legislation to put a stop once and for all to the so-called telemetry that Microsoft has installed in it’s operating systems. Most of the time, Windows 10 has been getting the attention about this telelmetry, but it is being forced-in as updates to Windows 7, Windows 8, and Windows 8.1 as well. Sometimes, the telemetry comes in with a driver-requirement for a new application that was merely compiled with Microsoft’s Visual Studio.