| |
| META TOPICPARENT | name="SecondEssay" |
|---|
Privacy Federalism
-- By PatricioMartinezLlompart - 10 Dec 2016 |
|
<
< | City and state governments are emboldened to drive progressive policymaking nationwide as Republicans regain absolute control of the federal government. Whether we call it “progressive federalism” or “state rights for the left,” the future of liberal criminal justice, immigration, and climate change policy may rest with local politicians willing to contest the Trump Administration on its legislative and administrative priorities. The local is also an important arena in which to mediate, defend, and consider the fate of our privacy in the digital age. |
>
> | Call it “progressive federalism” or “state rights for the left,” the future of liberal criminal justice, immigration, and climate change policy may rest with local politicians willing to contest the Trump Administration on its legislative and administrative priorities. The local is also an important arena in which to mediate and consider the fate of privacy in the digital age. |
| | |
|
<
< | Contra the federal executive’s and judiciary’s minimal efforts to protect digital privacy, in recent years, states and cities have taken measures of varying degrees to safeguard personal privacy as the Net’s behavior-collection capabilities became more far reaching. Our current historical moment makes the role of subnational governments as laboratories for political and legislative action of this sort only more urgent. But whatever enthusiasm for the potential privacy protections that may arise subnationally must be qualified. The reach of current state privacy laws seems insufficient and the arms-race for “smart cities” is positioned to turn our urban environs into massive behavior-collection machines. |
>
> | Contra the federal executive’s and judiciary’s minimal efforts to protect digital privacy, in recent years, states have taken measures of varying degrees to safeguard personal privacy as the Net’s behavior-collection capabilities increased. Our historical moment makes the role of subnational governments as laboratories for political and legislative action of this sort only more urgent. But enthusiasm for the privacy protections that may arise subnationally must be qualified. With notable exceptions, the reach of current state privacy laws seems insufficient, and the most ambitious protections face potential constitutional challenges. |
| | |
|
<
< | Contours of State and Local Action
Legislation |
| | |
|
<
< | Proposals for a Consumer Privacy Bill of Rights and an updated Electronic Communications Privacy Act stall in Washington DC. Meanwhile, in Texas, state politicians acknowledge their constituents are “increasingly wary their lives are no lomger going to be their own.” States ranging from California to Oklahoma have passed privacy laws to protect individual information in a variety of contexts. Many of these laws were enacted in response to citizen demands after Snowden’s 2013 revelations of the federal government’s mass surveillance program. |
>
> | Contours of State and Local Action |
| | In 2003 California pioneered a data breach notification law that requires both private and public organizations to notify consumers if their unencrypted personal data is acquired by unauthorized persons. Similar statutes have been adopted in almost every other state. |
|
<
< | California was also first to mandate via legislation that commercial websites and online services publish a privacy policy. The California Online Privacy Protection Act applies to mobile applications and was amended in 2013 to require disclosures by websites and other online services that monitor user activity to build profiles of [user] behavior and interests.”
Most recently, twenty-five states have legislated to disable employers from demanding access credentials to their employees’ personal social media accounts as a condition of employment. More than a dozen states have adopted similar bills to protect student social media accounts from unwarranted access by their academic institutions.
Enforcement and Administration |
>
> | California was also first to mandate via legislation that commercial websites and online services publish a privacy policy. The California Online Privacy Protection Act applies to mobile applications and was amended in 2013 to require disclosures by websites and other online services that monitor user activity to build profiles of [user] behavior and interests.” Most recently, twenty-five states have legislated to disable employers from demanding access credentials to their employees’ personal social media accounts as a condition of employment. More than a dozen states have adopted similar bills to protect student social media accounts from unwarranted access by their academic institutions. |
| | |
|
<
< | Beyond its provisions, the teeth of subnational privacy law is in its enforcement and administration by the pertinent government authorities. |
>
> | Nonetheless, perhaps the high watermark of subnational privacy lawmaking are the statutes that regulate corporate collection and retention of user biometrics—or attributes like fingerprints, retina scans, and facial geometry that can be used to identify a person. Biometric identifiers have become pervasive in the private sector. Financial institutions increasingly use biometric data to authenticate consumers’ identities, whereas social media networks employ biometrics in their photo tagging applications. Unlike replaceable identifiers such as social security numbers, breaches of biometric data may compromise a person’s identity for her lifetime. |
| | |
|
<
< | State attorney generals are front and center to making privacy legislation more than a gimmick. In 2013, Google settled a case filed by 38 states alleging privacy violations through Google's Street View project; the company admitted to collecting passwords, email, and other personal user information. Also in 2013, Google entered into a $17 million settlement with 37 states plus the District of Columbia for bypassing Safari’s default privacy settings and enabling undisclosed third-party user surveillance.
Perhaps in the clearest preview of imminent local-federal clashes, Mayor de Blasio recently announced the municipal government will shield data of undocumented immigrants participating in idNYC from the feds. The program was created, in part, to provide undocumented immigrants residing in New York with a formal identification card. The Human Resources Administration manages the initiative and retains the right to destroy records relating to proof of identity or residency of ID solicitants, per the program’s 2014 enacting legislation. |
>
> | Illinois became the first state to legislate comprehensive biometric data protections, imposing stringent notice and consent requirements on companies that handle such information. Since 2008, the Illinois Biometric Information Privacy Act (BIPA) (1) requires businesses to obtain affirmative, informed consent before collecting biometrics; (2) prohibits the sale of biometric data; (3) mandates the creation of retention guidelines for the data; and (4) allows a private right of action for individuals harmed by violations of the act. Texas is the only other state to have enacted similar legislation, although it permits companies to sell biometric data under certain circumstances and does not create a private right of action. |
| | Is Federalism Salvation? |
|
<
< | State and local action to counter the lessening of our privacy in the digital age is commendable given the federal government’s unwillingness to act. From the brief overview of legislation and enforcement actions outlined above, however, it is clear state and local authorities have yet to substantially limit online service providers’ ability to profiteer off our digital lives, the fundamental unfreedom and injustice of the Net society.
Disclosure does not equate protection. As long as they announce they're collecting it, service providers still act under the law when they collect our behavior and sell it like they please. Disclosing they are collecting, but still allowing them to collect and surveil, is not enough if we envision privacy as a robust triad of secrecy, anonymity, and autonomy. And even if we just hope for compliance with the current regulatory regime’s restrained reach, $7 and $17 million settlements seem meager deterrents for service providers like Facebook and Google. |
>
> | It is unlikely existing federal law preempts state-level biometric regulation. Paul Schwartz observes most federal statutes mandating privacy guidelines for particular industries only set a floor, or basic threshold of protection, that states may well exceed. But the ultimate viability of state biometric statutes may hinge on whether they impose an undue burden on interstate commerce and/or conflict with the “Dormant” Commerce Clause.
Generally, state regulation that affects interstate commerce is constitutional if it advances a legitimate local public interest and its “burden…on such commerce is not excessive in relation to putative local benefits.” A state law, however, may be unconstitutional when it conflicts with “dormant” interstate commerce. While states can regulate their local affairs in ways that affect interstate commerce “as long as they do not impermissibly trespass upon national interests,” the absence of federal regulation may indicate Congress wants a particular issue to remain unregulated, for which state laws to the contrary could be unconstitutional. |
| | |
|
<
< | Moreover, local leaders’ public statement announcing they will stand off federal officials who attempt to intrude upon the privacy of their urban denizens conflicts with their willingness to embrace the smart city gospel. Making city services more efficient and user-accessible should certainly be a priority for any municipal administration. But is installing cameras and censors in every corner—creating a “total information awareness scheme”—the answer to that? If we don’t like our city’s privacy policy, do we have the ability to opt out? |
>
> | Faced with a Commerce Clause challenge, Illinois and other states that adopt expansive biometrics regulations are likely to assert they have legitimate interest in creating statutory safeguards for their citizens’ identities and personal information in the digital age. In turn, affected interstate market actors would maintain the burden of state-specific biometrics regulations on their businesses transcends an “intangible,” governmental interest in the protection of individual privacy. For example, social media or photo-sharing platforms that employ biometric tools as a default would have to locate residents of BIPA states and provide them with an opportunity to provide affirmative consent. This, the companies would argue, translates into higher design and engineering costs just to engage in business within BIPA states—the sort of burden on interstate commerce the Supreme Court rejected in Pike and South Pacific Co. v. Arizona as excessive in relation to a countervailing local public interest. Facebook recently counterclaimed a similar argument in its active litigation with a class of Illinois residents who allege the network’s “opt in” face-recognition photo tagging system violates BIPA. Companies could also contend BIPA violates dormant commerce on grounds that a patchwork of state-level biometric regulations clashes with a presumptive federal interest in national uniformity with regards to privacy law. |
| | Salvation is Individual |
|
<
< | Despite the observable limits of current attempts at state and local privacy lawmaking, in the near future, further legislative or legal innovations to protect our digital privacy are likely to stem from this subnational scene. Local public officials across the partisan spectrum have demonstrated their willingness to talk privacy and grapple with the implications of its erosion in the digital era. It’s on us to mobilize and advocate for better. A potential first step: Demanding legislation that bans the sale and requires the deletion of metrics collected through smart city infrastructure. We may not be able to opt out from our city’s surveillance apparatus, but we are still free to opt into our political process and demand action.
It would have been useful to provide examples of the state-level legislation (in the area of biometrics, for example) so that the reader could understand both what might be undertaken, at what conceptual levels, and what the likelihood is of preemption, in the interest of what will genuinely be a growing burden on interstate commerce. Taxation will be a reasonably good guide to go by, in this area, won't it? Or why? |
>
> | Most states have yet to limit the ability of online service providers to profit off our digital lives. Disclosure mandates are insufficient if corporations act legally when they aggregate and package our behavior for sale. But despite the observable limits of current attempts at lawmaking, short-term legislative or legal innovations to protect digital privacy are likely to stem from this subnational scene. Local public officials across the partisan spectrum have demonstrated their willingness to talk privacy and grapple with the implications of its erosion in the digital era. Since the beginning of 2017, the legislatures of four states—Alaska, Connecticut, New Hampshire, and Washington—have introduced bills to regulate biometric data modeled after Illinois’ BIPA. It’s on us to mobilize and advocate for more. Only then the promise of a right that enshrines privacy as a robust triad of secrecy, anonymity, and autonomy will no longer be elusive. |
| | |
|
<
< | |
| |
\ No newline at end of file |