Law in the Internet Society

NEPA as a Model for a National Privacy Protection Act

-- By ZaneMuller - 3 Feb 2020

Anyone who has clicked “I accept” understands the futility of a contractual or consent-based regime for online privacy protection. So while the EU pushes ahead with GDPR and other states consider adopting a version of the CCPA, privacy advocates should begin thinking seriously about more effective reform. The status quo is bad because mass surveillance harms everyone’s privacy – it reduces individuals’ capacity for secrecy and anonymity in ways that subvert their autonomy. And because of the architecture of the network, your failure to maintain secrecy or anonymity can harm my autonomy. That external harm cannot be remedied by consent, and so we need social standards of care.

If we accept that externality regulation is the appropriate model, the question becomes, what would such privacy protections actually look like? The 1970 National Environmental Policy Act offers one model, and a potentially useful template for those who support a comprehensive national remedy to harm that surveillance capitalism has done to privacy and democracy. An examination of its key features offers lessons for what a fully-realized National Privacy Policy Act should look like.

The History and Structure of NEPA

NEPA was the most pronounced legislative expression of an environmental movement in the United States tracing its roots to the conservationism of Teddy Roosevelt, bolstered by Cold War dread of a nuclear winter and catalyzed by a growing public sense of environmental crisis, made vivid by oil spills, burning rivers, and the threatened extinction of charismatic fauna. What is striking about the statutory language fifty years later is its tenor and clarity; no lip service whatever is paid to the virtues of industrial capitalism or the sanctity of jobs. Improving the quality of the environment by declaring a “basic national charter for protection of the environment” is the explicit, unqualified goal. Importantly, the statute articulates a democratic vision for environmental regulation, to “encourage and facilitate public involvement in decisions which affect the quality of the human environment.”

NEPA is notable for both its simplicity and breadth of coverage. At its core, it is a procedural requirement applying to any and all action by the Federal government, from building interstates to approving the use of Federal funds by state and local governments. Yet the entire statute fills no more than seven pages, and requires simply that Federal actions be accompanied by a review process providing the public and its representatives with “high quality information… [comprising] accurate scientific analysis, expert agency comments, and public scrutiny.” This information comes in the form of Environmental Impact Statements, accompanied by a rigorous procedure for identifying and evaluating the effects of any action and allowing the public to weigh in. This was a departure from prior, more granular environmental legislation, such as the Clean Air Act, that prescribed limits on specific sources pollution but were of limited effect in combating systemic environmental problems and novel sources of degradation.

Despite its emphasis on procedure and lack of specific prohibitions, the strength and clarity of the Congressional mandate has allowed Federal agencies, including the EPA and the CEQ, to develop robust and comprehensive regulations that have withstood challenge in federal courts. For example, broad meaning is given to terms like “effects”, so that they include “indirect effects”, “induced” effects, and “related effects on natural systems including ecosystems”.

The environmental review process itself restrains environmental damage by the simple fact of imposing delays and costs on almost anyone who would alter the environment, and by holding public decision makers accountable for their approval of harmful projects. But crucially, it also gives standing to citizens and environmental groups who can use litigation as a tool of environmental protection. Combining public and private enforcement of environmental law makes it that much more effective.

Lessons for a National Privacy Protection Act

An effective NPPA would need a similar groundswell of public support across the political spectrum as well as firm grounding in American traditions of privacy, and free association and free thought. Ideally it too would have a clear purpose: a “basic national charter for the protection of privacy”, unqualified by any nonsense about the virtues of big data or specious affirmations of the First Amendment. Democratic accountability would likewise be an essential component for restoring autonomy to the public counterbalancing the asymmetries of information and power enjoyed by the likes of Google and Facebook.

Simplicity and breadth would be cardinal virtues of an effective NPPA; privacy harms, like environmental harms, are various, dynamic and often difficult to pinpoint absent mandatory public disclosure and scientifically-informed review. Michael Froomkin has proposed Privacy Impact Notices as an analog to the EIS, arguing that doing so would “ignite a regulatory dynamic by collecting information about the privacy costs of previously unregulated activities.” Or put simply, companies like Facebook would have to admit exactly what it is that they are doing with user data and defend its impact on the public.

A strong statement of Congressional intent, combined with authorization and funding for the creation of a Privacy Protection Agency, would empower the Federal government to regulate and rein in harmful and heretofore unregulated private surveillance practices. Ideally, the ambit of such a law would be identical to that of NEPA, covering any Federal action, including the domestic spying conducted by the NSA. But its reach to private companies would be assured by attaching the review process to Federal actions such as the licensing of the wireless spectrum or communications infrastructure spending.

The mere existence of such a law would cause reputation-sensitive large public companies to think harder about whether they really want to admit to their surveillance practices. But crucially, it would give standing to private actors who seek to defend privacy and create a legal environment where surveillance capitalism as currently practiced is no longer viable. The long-term success of NEPA in delivering on its ambition is cause for optimism.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r5 - 07 Feb 2020 - 23:56:18 - ZaneMuller
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM