Privacy Federalism

-- By PatricioMartinezLlompart - 10 Dec 2016

City and state governments are emboldened to drive progressive policymaking nationwide as Republicans regain absolute control of the federal government. Whether we call it “progressive federalism” or “state rights for the left,” the future of liberal criminal justice, immigration, and climate change policy may rest with local politicians willing to contest the Trump Administration on its legislative and administrative priorities. The local is also an important arena in which to mediate, defend, and consider the fate of our privacy in the digital age.

Contra the federal executive’s and judiciary’s minimal efforts to protect digital privacy, in recent years, states and cities have taken measures of varying degrees to safeguard personal privacy as the Net’s behavior-collection capabilities became more far reaching. Our current historical moment makes the role of subnational governments as laboratories for political and legislative action of this sort only more urgent. But whatever enthusiasm for the potential privacy protections that may arise subnationally must be qualified. The reach of current state privacy laws seems insufficient and the arms-race for “smart cities” is positioned to turn our urban environs into massive behavior-collection machines.

Contours of State and Local Action

Legislation

Proposals for a Consumer Privacy Bill of Rights and an updated Electronic Communications Privacy Act stall in Washington DC. Meanwhile, in Texas, state politicians acknowledge their constituents are “increasingly wary their lives are no lomger going to be their own.” States ranging from California to Oklahoma have passed privacy laws to protect individual information in a variety of contexts. Many of these laws were enacted in response to citizen demands after Snowden’s 2013 revelations of the federal government’s mass surveillance program.

In 2003 California pioneered a data breach notification law that requires both private and public organizations to notify consumers if their unencrypted personal data is acquired by unauthorized persons. Similar statutes have been adopted in almost every other state. California was also first to mandate via legislation that commercial websites and online services publish a privacy policy. The California Online Privacy Protection Act applies to mobile applications and was amended in 2013 to require disclosures by websites and other online services that monitor user activity to build profiles of [user] behavior and interests.”

Most recently, twenty-five states have legislated to disable employers from demanding access credentials to their employees’ personal social media accounts as a condition of employment. More than a dozen states have adopted similar bills to protect student social media accounts from unwarranted access by their academic institutions.

Enforcement and Administration

Beyond its provisions, the teeth of subnational privacy law is in its enforcement and administration by the pertinent government authorities.

State attorney generals are front and center to making privacy legislation more than a gimmick. In 2013, Google settled a case filed by 38 states alleging privacy violations through Google's Street View project; the company admitted to collecting passwords, email, and other personal user information. Also in 2013, Google entered into a $17 million settlement with 37 states plus the District of Columbia for bypassing Safari’s default privacy settings and enabling undisclosed third-party user surveillance.

Perhaps in the clearest preview of imminent local-federal clashes, Mayor de Blasio recently announced the municipal government will shield data of undocumented immigrants participating in idNYC from the feds. The program was created, in part, to provide undocumented immigrants residing in New York with a formal identification card. The Human Resources Administration manages the initiative and retains the right to destroy records relating to proof of identity or residency of ID solicitants, per the program’s 2014 enacting legislation.

Is Federalism Salvation?

State and local action to counter the lessening of our privacy in the digital age is commendable given the federal government’s unwillingness to act. From the brief overview of legislation and enforcement actions outlined above, however, it is clear state and local authorities have yet to substantially limit online service providers’ ability to profiteer off our digital lives, the fundamental unfreedom and injustice of the Net society.

Disclosure does not equate protection. As long as they announce they're collecting it, service providers still act under the law when they collect our behavior and sell it like they please. Disclosing they are collecting, but still allowing them to collect and surveil, is not enough if we envision privacy as a robust triad of secrecy, anonymity, and autonomy. And even if we just hope for compliance with the current regulatory regime’s restrained reach, $7 and $17 million settlements seem meager deterrents for service providers like Facebook and Google.

Moreover, local leaders’ public statement announcing they will stand off federal officials who attempt to intrude upon the privacy of their urban denizens conflicts with their willingness to embrace the smart city gospel. Making city services more efficient and user-accessible should certainly be a priority for any municipal administration. But is installing cameras and censors in every corner—creating a “total information awareness scheme”—the answer to that? If we don’t like our city’s privacy policy, do we have the ability to opt out?

Salvation is Individual

Despite the observable limits of current attempts at state and local privacy lawmaking, in the near future, further legislative or legal innovations to protect our digital privacy are likely to stem from this subnational scene. Local public officials across the partisan spectrum have demonstrated their willingness to talk privacy and grapple with the implications of its erosion in the digital era. It’s on us to mobilize and advocate for better. A potential first step: Demanding legislation that bans the sale and requires the deletion of metrics collected through smart city infrastructure. We may not be able to opt out from our city’s surveillance apparatus, but we are still free to opt into our political process and demand action.

It would have been useful to provide examples of the state-level legislation (in the area of biometrics, for example) so that the reader could understand both what might be undertaken, at what conceptual levels, and what the likelihood is of preemption, in the interest of what will genuinely be a growing burden on interstate commerce. Taxation will be a reasonably good guide to go by, in this area, won't it? Or why?