The utility of biometric data is more prevalent than it has ever been, primarily because developing technology has created a broad swath of convenient uses for it. It can help law enforcement authorities quickly target wanted individuals and also secure a business’ access to proprietary information. The best and most relatable example being the Apple iPhone’s fingerprint and facial recognition software.
However, with such valuable information comes heightened privacy concerns. Unlike the typical information businesses collect from its consumers and employees—name, email address, phone number, etc.—biometric data broadly encompasses an individual’s immutable characteristics and even behavioral patterns. Aside from data breaches, which are invariably a cause of concern for data protection, the prevailing news topic lately has been the legality and ethicality of the collection and use of biometric data.
Sen. Roger Wicker, R-Miss., has introduced yet another national privacy legislation bill, known as The SAFE DATA Act. The full name of the bill is the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act.” (As usual, I think legislators select an acronym they like, and then think of a name for the Act that will support the acronym.) The SAFE DATA Act combines elements of previously introduced privacy legislation to put forth a single, more robust and comprehensive privacy bill.
As the proliferation of connected devices, applications and other technology continues, the opportunities for the use and misuse of consumer data have also grown. With new and massive data breaches constantly entering the news cycle, lawmakers are responding to demands for privacy and data security.
The recent focus of privacy professionals in the United States has overwhelmingly been on the California Consumer Privacy Act (CCPA), particularly the release of the final regulations implementing the CCPA.
Amid the attention-grabbing CCPA headlines, businesses must not lose sight of other state laws that have recently passed, as well as legislation on the horizon. As reported by the National Conference of State Legislatures, more than half of U.S. states introduced consumer data privacy legislation and 43 states considered bills addressing cybersecurity in 2019.
Some of the new laws and proposed bills are summarized below and represent broader legislative trends that will likely continue into the new decade.
In 2016, the European Union (“EU”) created heightened data privacy rights for its citizens by enacting the General Data Privacy Regulation (“GDPR”). The most drastic change from the previous regulation, enacted in 1995, lies within the expanded territorial scope. The change now subjects companies to fines for violations of the regulation, even if those companies are not domiciled in the EU. Data privacy has always been considered a fundamental human right in the EU; however, within the United States, there is no fundamental right to privacy. Rather, the country’s privacy laws are based on a complicated sectoral structure that often leads the country’s citizens confused as to what rights they actually have. This paper will review the EU and United States’ fundamental differences in privacy laws, the changes implemented by the GDPR (including the expanded territorial scope), the compliance plans of some major players within the United States, and what the future looks like for American businesses that hold or process the data of EU citizens under the GDPR. |
In this article, we provide an overview of the literature on chilling effects and corporate profiling, while also connecting the two topics. We start by explaining how profiling, in an increasingly data-rich environment, creates substantial power asymmetries between users and platforms (and corporations more broadly). Inferences and the increasingly automated nature of decision-making, both based on user data, are essential aspects of profiling. We then connect chilling effects theory and the relevant empirical findings to corporate profiling. In this article, we first stress the relationship and similarities between profiling and surveillance. Second, we describe chilling effects as a result of state and peer surveillance, specifically. We then show the interrelatedness of corporate and state profiling, and finally spotlight the customization of behaviour and behavioural manipulation as particularly significant issues in this discourse. This is complemented with an exploration of the legal foundations of profiling through an analysis of European and US data protection law. We find that while Europe has a clear regulatory framework in place for profiling, the US primarily relies on a patchwork of sector-specific or state laws. Further, there is an attempt to regulate differential impacts of profiling via anti-discrimination statutes, yet few policies focus on combating generalized harms of profiling, such as chilling effects. Finally, we devise four concise propositions to guide future research on the connection between corporate profiling and chilling effects. |
The question of whether the US needs a federal data protection law is not new, but the COVID-19 pandemic, among other factors, has shifted the debate. Discussion over whether a unified response on data protection would clarify how citizens’ data can be used for COVID-19 contract tracing and to strengthen control over how tech giants use citizens’ data has increased support for a federal law among both citizens and businesses. “The current moment feels different as several trends are coalescing to change the privacy zeitgeist and give multiple constituencies reasons to support federal action,” says Alan Raul, leader of Sidley Austin’s privacy and cybersecurity group in Washington, DC.
The advent of the commercial Internet has introduced novel challenges to global governance because of the transnational nature of shared data flows, creating interdependence that may result in inter-state cooperation or competition. Data protection laws that are designed to ensure citizens’ right to privacy are one of the primary tool used by states to extend control over data flows. The European Union’s (EU) General Data Protection Regulation (2016) is widely regarded as the strongest data protection law in the world, and therefore may serve as a barrier to the openness of the Internet. The GDPR is both an instance of regulatory competition between the EU and US, but also heightens the need for cooperation to ensure the smooth functioning of online commerce. This paper shows that the EU is exporting the GDPR to jurisdictions such as the US via extraterritorial effects, even though the US has adopted an alternative legal approach to data protection. This paper seeks to explain the influence and limitations of the GDPR by considering factors such as the relative regulatory capabilities of the EU and the US as the result of their institutional and legal histories. It demonstrates that the EU has relied on complex interdependence to design a regulation like the GDPR, and it uses this regulatory competitive advantage alongside its soft power to promote its model of data protection, allowing the EU to obtain favorable outcomes in cooperation with the US.
Governments across the world are galvanizing every surveillance tool at their disposal to help stem the spread of the novel coronavirus. Countries have been quick to use the one tool almost all of us carry with us — our smartphones.
At the moment, the US doesn’t have a single body dedicated to
enforcing privacy rules. It’s a side-mission at the Federal Trade
Commission (FTC), which is limited in its approach.
Under Section 5 of the FTC Act,
it can’t issue fines for privacy violations immediately. Instead, it
has to issue a consent decree (the violator has to agree that it won’t
be naughty again) and it can only fine a company if it violates that
decree. That’s why it didn’t fine Facebook for privacy infractions in
2011 but did levy a $5bn fine last year.