Law in the Internet Society

We Need a Federal Online Privacy Regulatory Framework

I. The Ecology of Privacy

One cannot think of privacy concerns as issues of individual action and responsibility. This perspective misses the reality that the problems of privacy deal with multiple interconnected biological and non-biological actors. Take one neighborhood, for example. Let's say that House A and House B both have access to a mechanism that will protect them from any privacy concerns. Nevertheless, it is up to each house to sign up or accept the security, creating a system where only some homes in the neighborhood are protected. This regulation is ineffective because it is akin to using an umbrella with holes during the rain; some water is bound to get through, and you will ultimately end up wet. It works similarly when private consumer data protection differs from state to state. Just like water, the internet doesn't stop at state lines.

II. Basing online Privacy Regulation on Environmental Regulatory Principles

The National Environmental Policy Act (“NEPA”) requires federal agencies to assess the environment effects of their proposed actions before making decisions. In other words, the NEPA sets an overarching set of commitments and requires people to move consciously to make impact statements that are justiciable in federal courts. NEPA establishes “the broad national framework for protecting our environment.” Under NEPA there is a vertical regulatory schemes that deal with specific areas of the environment in which we want the government to achieve the objective set by i.e., The Drinking Water Act ("SDWA") and The Clean Air Act (CAA)

According to the Environmental Protection Agency ("EPA"), "under the SDWA, EPA sets standards for drinking water quality and oversees the states, localities, and water suppliers who implement those standards." Even though different actors might have different needs in various contexts, there is still a uniform set of federal standards for drinking water across the United States. In the water regulatory scheme, it is not up to each individual whether they receive lead-poisoned water; it's up to the government actors to do their jobs and set uniform standards across the country. Similarly, the onus of securing online privacy should not be on citizens but on government actors whose job is to set standards and regulations.

III. Imagining a National Privacy Security Policy Act (“NPSP”)

Currently, "the United States doesn’t have a singular law that covers all types of data privacy. Instead, it has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.” The way our current privacy (or lack therefore) regulatory framework works is akin to allowing your neighbors use lead-poisoned water. You think your water is safe from pollution. Privacy regulation is an ecological issue and must be regulated as such.

We must imagine what the NEPA equivalent statute for privacy regulation would look like. What overarching set of commitments or standards would it layout? This paper proposes a National Privacy Security Policy Act (“NPSP”). The act would establish a broad national framework for protecting American citizens’ privacy. It is imperative to stress that this act and any verticals to follow focus on protecting people, not data. I also want to note my limitation in suggesting specific commitments and standards, given that I am not a privacy expert, and we need experts to develop these standards. However, I can humbly law out a brief blueprint.

Congress knows to protect people v. protecting data, at least when it wants to. “The Bork Tapes” refers to a series of 146 videotapes rented out by then Judges Robert Bork from Block Buster Videos. During his supreme court confirmation hearings, the City Paper published Bork’s rentals in a cover story called “The Bork Tapes.” Congress responded by passing the Privacy Protection Act (VPPA), which forbids the sharing of video tape rental information with anyone. However, in 2012, “after lobbying by Netflix, Congress and President Obama stripped away much of the VPPA” to allow many companies to begin selling users' data at will.

The watering down of the VPPA uncovered a critical fact: The gap in privacy regulation is not a vacuum but a structure that was put there to repeal, and it's carefully designed to repeal new regulations. Lobbies of companies like Netflix have carefully arraigned a “no-law zone”; these platforms’ creation of a no-law system is carefully maintained in and by the United States Senate, which results in an unwillingness to use the democratic process to protect people. This lack of security regulations an engineered item.

The NPSP would fill in the gap by making it illegal to sell user data to third parties. It would also take away Congress’ power to make this decision by putting those regulatory schemes in the hands of a federal agency such as the Online Privacy Regulatory Commission. Companies like Netflix, Hulu, and Facebook would have to make impact statements about their privacy regulations that are justiciable in federal courts.

A federal regulatory body would keep actors in check and impose fines and criminal sanctions when the act is violated. i.e., if a company is found to be selling data to third party vendors when it released a statement that it would not, the company would be open to civil and criminal charges. Like the EPA or the Nuclear Regulatory Commission, the Online Privacy Regulatory Commission would be an independent agency with rulemaking authority whose job would be to set standards and regulations for online privacy control and oversee that States and Online service providers implement these standards.




Webs Webs

r5 - 06 Feb 2024 - 04:45:24 - AllysonChavez
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM