California Privacy Legislation: A Timeline of Key Events

Authors: Katelyn Ringrose (Christopher Wolf Diversity Law Fellow) and Jeremy Greenberg (Policy Counsel) 

——-

Today, the California Attorney General will begin enforcing the California Consumer Privacy Act (CCPA). The California AG’s office may bring enforcement actions and seek penalties for violations of core provisions of the CCPA. The AG’s request for expedited review of regulations that supplement the CCPA is pending before the California Office of Administrative Law (OAL); the AG regulations provide additional detail regarding particular CCPA provisions.

The CCPA, which came into effect January 2020, is the first non-sectoral privacy law passed in the United States that contains broad consumer rights to access, delete, and opt out of the sale of their data. The CCPA has sparked major compliance efforts in the United States and globally, and the legislation was a long time in the making—beginning as a 2016 ballot initiative. 

In commemoration of today’s landmark enforcement date, we look back at the events that brought us to this point, and potential future ramifications. Below is a timeline of events regarding California privacy legislation from 2016 – 2020. This timeline examines the inception of the CCPA, the various amendments and lawsuits that have shaped its scope and enforcement provisions, and the current status of the California Privacy Rights Act (CPRA), or “CCPA 2.0,” recently certified for the 2020 ballot. If passed, CPRA would become effective in 2023. 

Download this Timeline

What’s next? If voters in California vote for the CPRA ballot initiative in the general election on November 3, 2020, the CPRA would become effective on January 1, 2023. The proposed law contains broader substantive protections than the CCPA, including data minimization and purpose limitation obligations, a stronger opt-out of behavioral advertising, and restrictions regarding the use of sensitive data. It would also establish a new Privacy Protection Agency in California to create additional regulations and to enforce the law. 

FPF Resources on CCPA //

Additional Reading //

Acknowledgements to Stacey Gray, Senior Counsel (US Legislation and Policymaker Education), Polly Sanderson, Policy Counsel. 

Did we miss any key events? Let us know at [email protected].

Commoditization of Data is the Problem, Not the Solution – Why Placing a Price Tag on Personal Information May Harm Rather Than Protect Consumer Privacy

This guest post is by Lokke Moerel, a Professor of Global ICT Law at Tilburg University and Senior of Counsel at Morrison & Foerster in Berlin, and Christine Lyon, partner at Morrison & Foerster in Palo Alto, California. To learn more about FPF in Europe, please visit https://fpf.org/eu.

By Lokke Moerel and Christine Lyon[1]

Friend and foe agree that our society is undergoing a digital revolution that is in the process of transforming our society as we know it. In addition to economic and social progress, every technological revolution also brings along disruption and friction.[2] The new digital technologies (and, in particular, artificial intelligence-AI) are fueled by huge volumes of data, leading to the common saying that “data is the new oil.” These data-driven technologies transform existing business models and present new privacy issues and ethical dilemmas.[3] Social resistance to the excesses of the new data economy is becoming increasingly visible and leads to calls for new legislation.[4]

Commentators argue that a relatively small number of companies are disproportionately profiting from consumers’ data, and that the economic gap continues to grow between technology companies and the consumers whose data drives the profits of these companies.[5] Consumers are also becoming more aware of the fact that free online services come at a cost to their privacy, where the modern adage has become that consumers are not the recipients of free online services but are actually the product itself.[6]

U.S. legislators are responding by proposing prescriptive notice and choice requirements which intend to serve the dual purpose of providing consumers with greater control over the use of their personal information and at the same time enabling them to profit from that use of their information.

An illustrative example is California Governor Gavin Newsom’s proposal that consumers should “share the wealth” that technology companies generate from their data, potentially in the form of a “data dividend” to be paid to Californians for the use of their data.[7] California’s Consumer Privacy Act (CCPA) also combines the right of consumers to opt out of the sale of their data with a requirement that any financial incentive offered by companies to consumers for the sale of their personal information should be reasonably related to the value of the consumer’s data.[8]

These are not isolated examples. The academic community is also proposing alternative ways to address wealth inequality. Illustrative here is Lanier and Weyl’s proposal for the creation of data unions that would negotiate payment terms for user-generated content and personal information supplied by their users, which we will discuss in further detail below.

Though these attempts to protect, empower, and compensate consumers are commendable, the proposals to achieve these goals are actually counterproductive. The remedy is here worse than the ailment.

To illustrate the underlying issue, let’s take the example of misleading advertising and unfair trade practices. If an advertisement is misleading or a trade practice unfair, it is intuitively understood that companies should not be able to remedy this situation by obtaining consent for such practice from the consumer. In the same vein, if companies generate large revenues with their misleading and unfair practices, the solution is not to ensure consumers get their share of the illicitly obtained revenues. If anything would provide an incentive to continue misleading and unfair practices, this would be it.

As always with data protection in the digital environment, the issues are far less straightforward than in their offline equivalents and therefore more difficult to understand and address. History shows that whenever a new technology is introduced, society needs time to adjust. As a consequence, the data economy is still driven by the possibilities of technology rather social and legal norms.[9] This inevitably leads to social unrest and calls for new rules, such as the call of Microsoft’s CEO, Satya Nadella, for the U.S., China, and Europe to come together and establish a global privacy standard based on the EU General Data Protection Regulation (GDPR).[10]

From privacy is dead to privacy is the future. The point here is that not only technical developments are moving fast, but also that social standards and customer expectations are evolving.[11]

To begin to understand how our social norms should be translated to the new digital reality, we will need to take the time to understand the underlying rationales of the existing rules and translate them to the new reality. Our main point here is that that the two concepts of consumer control and wealth distribution are separate but intertwined. They seek to empower consumers to take control of their data, but they also treat privacy protection as a right that can be traded or sold. These purposes are equally worthy, but cannot be combined. They need to be regulated separately and in a different manner. Adopting a commercial trade approach to privacy protection will ultimately undermine rather than protect consumer privacy. To complicate matters further, experience with the consent-based model for privacy protection in other countries (and especially under the GDPR) shows that the consent-based model is flawed and fails to achieve privacy protection in the first place. We will first discuss why consent is not the panacea to achieve privacy protection.

 

Why Should We Be Skeptical of Consent as a Solution for Consumer Privacy?

On the surface, consent may appear to be the best option for privacy protection because it allows consumers to choose how they will allow companies to use their personal information. Consent tended to be the default approach under the EU’s Data Protection Directive, and the GDPR still lists consent first among the potential grounds for processing of personal data.[12] Over time, however, confidence in consent as a tool for privacy protection has waned.

Before GDPR, many believed that the lack of material privacy compliance was mostly due to lack of enforcement under the Directive, and that all would be well when the European supervisory authorities would have higher fining and broader enforcement powers. However, now these powers are granted under GDPR, not much has changed and privacy violations are still being featured in newspaper headlines.

By now the realization is setting in that non-compliance with privacy laws may also be created by a fundamental flaw in consent-based data protection. The laws are based on the assumption that as long as people are informed about which data are collected, by whom and for which purposes, they can then make an informed decision. The laws seek to ensure people’s autonomy by providing choices. In a world driven by AI, however, we can no longer fully understand what is happening to our data. The underlying logic of data-processing operations and the purposes for which they are used have now become so complex that they can only be described by means of intricate privacy policies that are simply not comprehensible to the average citizen. It is an illusion to suppose that by better informing individuals about which data are processed and for which purposes, we can enable them to make more rational choices and to better exercise their rights. In a world of too many choices, autonomy of the individual is reduced rather than increased. We cannot phrase it better than Cass Sunstein in his book, The Ethics of Influence(2016):

[A]utonomy does not require choices everywhere; it does not justify an insistence on active choosing in all contexts. (…) People should be allowed to devote their attention to the questions that, in their view, deserve attention. If people have to make choices everywhere, their autonomy is reduced, if only because they cannot focus on those activities that seem to them most worthy of their time.[13]

More fundamental is the point that a regulatory system that relies on the concept of free choice to protect people against consequences of AI is undermined by the very technology this system aims to protect us against. If AI knows us better than we do ourselves, it can manipulate us, and strengthening the information and consent requirements will not help.

Yuval Harari explains it well:

What then, will happen once we realize that customers and voters never make free choices, and once we have the technology to calculate, design or outsmart their feelings? If the whole universe is pegged to the human experience, what will happen once the human experience becomes just another designable product, no different in essence from any other item in the supermarket?[14]

The reality is that organizations find inscrutable ways of meeting information and consent requirements that discourage individuals from specifying their true preferences and often make them feel forced to click “OK” to obtain access to services.[15] The commercial interests of collecting as many data as possible are so large that in practice all tricks available are often used to entice website visitors and app users to opt in (or to make it difficult for them to opt out). The design thereby exploits the predictably irrational behavior of people so that they make choices that are not necessarily in their best interests.[16] A very simple example is that consumers are more likely to click on a blue button than a gray button, even if the blue one is the least favorable option. Telling is that Google once tested 41 shades of blue to measure user response.[17] Also established companies deliberately make it difficult for consumers to make their actual choice and seem to have little awareness of doing something wrong. In comparison, if you would deliberately mislead someone in the offline world, everyone would immediately feel that this was unacceptable behavior.[18] Part of the explanation for this is that the digital newcomers have deliberately and systematically pushed the limits of their digital services in order to get their users accustomed to certain processing practices.[19] Although many of these privacy practices are now under investigation by privacy and antitrust authorities around the world,[20] we still see that these practices have obscured the view of what is or is not an ethical use of data.

Consent-based data protection laws have resulted in what is coined as mechanical proceduralism,[21] whereby organizations go through the mechanics of notice and consent, without any reflection on whether the relevant use of data is legitimate in the first place. In other words, the current preoccupation is with what is legal, which is distracting us from asking what is legitimate to do with data. We see this reflected in even the EU’s highest court having to decide whether a pre-ticked box constitutes consent (surprise: it does not) and the EDPB feeling compelled to update its earlier guidance by spelling out whether cookie walls constitute “freely given” consent (surprise: they do not).[22]

Privacy legislation needs to regain its role of determining what is and is not permissible. Instead of a legal system based on consent, we need to re-think the social contract for our digital society, by having the difficult discussion about where the red lines for data use should be rather than passing the responsibility for a fair digital society to individuals to make choices that they cannot oversee.[23]

 

The U.S. System: Notice and Choice (as Opposed to Notice and Consent)

In the United States, companies routinely require consumers to consent to the processing of their data, such as by clicking a box stating that they agree to the company’s privacy policy, although there is generally no consent requirement under U.S. law.[24] This may reflect an attempt to hedge the risk of consumers challenging the privacy terms as an ‘unfair trade practice’.[25] The argument being that the consumer made an informed decision to accept the privacy terms as part of the transaction, and that the consumer was free to reject the company’s offering and choose another. In reality, of course, consumers will have little actual choice, particularly where the competing options are limited and offer similar privacy terms. In economic terms, we have an imperfect market where companies do not compete based on privacy given their aligned interest to acquire as much personal information of consumers as possible.[26] This leads to a race to the bottom in terms of privacy protection.[27]

An interesting parallel here is that the EDPB recently rejected the argument that consumers would have freedom of choice in these cases:[28]

The EDPB considers that consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. In such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent. It would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage. Hence, using this argument means a consent relying on an alternative option offered by a third party fails to comply with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.

By now, U.S. privacy advocates also urge the public and private sectors to move away from consent as a privacy tool. For example, Lanier and Weyl argued that privacy concepts of consent “aren’t meaningful when the uses of data have become highly technical, obscure, unpredictable, and psychologically manipulative.”[29] In a similar vein, Burt argued that consent cannot be expected to play a meaningful role, “[b]ecause the threat of unintended inferences reduces our ability to understand the value of our data, our expectations about our privacy—and therefore what we can meaningfully consent to—are becoming less consequential.”[30]

Moving away from consent / choice-based privacy models is only part of the equation, however. In many cases, commentators have even greater concerns about the economic ramifications of large-scale data processing and whether consumers will share in the wealth generated by their data.

 

Disentangling Economic Objectives from Privacy Objectives

Other than a privacy concept, consent can also be an economic tool: a means of giving consumers leverage to gain value from companies for the use of their data. The privacy objectives and economic objectives may be complementary, even to the point that it may not be easy to distinguish between them. We need to untangle these objectives, however, because they may yield different results.

Where the goal is predominantly economic in nature, the conversation tends to shift away from privacy to economic inequality and fair compensation. We will discuss the relevant proposals in more detail below, but note that all proposals require that we put a ‘price tag’ on personal information.

“It is obscene to suppose that this [privacy] harm can be reduced to the obvious fact that users receive no fee for the raw material they supply. That critique is a feat of misdirection that would use a pricing mechanism to institutionalize and therefore legitimate the extraction of human behavior for manufacturing and sale.” – Zuboff, p. 94.

  1. No Established Valuation Method

Despite personal information being already bought and sold among companies, such as data brokers, there is not yet an established method of calculating the value of personal information.[31] Setting one method will likely prove impossible under all circumstances. For example, the value of such data to a company will depend on the relevant use, which may well differ per company. The value of data elements often also differs depending on the combination of data elements available, whereby data analytics of mundane data may lead to valuable inferences that can be sensitive for the consumer. How much value should be placed on the individual data elements, as compared with the insights the company may create by combining these data elements or even by combining these across all customers?[32]

The value of data to a company may further have little correlation with the privacy risks to the consumer. The cost to consumers may depend not only on the sensitivity of use of their data but also on the potential impact if their data are lost. For example, information about a consumer’s personal proclivities may be worth only a limited dollar amount to a company, but the consumer may have been unwilling to sell that data to the company for that amount (or, potentially, for any amount). When information is lost, the personal harm or embarrassment to the individual may be much greater than the value to the company. The impact of consumers’ data being lost will also often depend on the combination of data elements. For instance, an email address is not in itself sensitive data, but in combination with a password, it becomes highly sensitive as people often use the same email/password combination to access different websites.

Different Approaches to Valuation

One approach might be to leave it to the consumer and company to negotiate the value of the consumer’s data to that company, but this would be susceptible to all of the problems discussed above, such as information asymmetries and unequal bargaining power. It may also make privacy a luxury good for the affluent, who would feel less economic pressure to sell their personal information, thus resulting in less privacy protection for consumers who are less economically secure.[33]

Another approach is suggested by Lanier and Weyl and would require companies to pay consumers for using their data, with the payment terms negotiated by the equivalent of new entities similar to labor unions that would engage in collective bargaining with companies over data rights.[34] However, this proposal also would require consumers to start paying companies for services that today are provided free of charge in exchange for the consumer’s data, such as email, social media, and cloud-based services. Thus, a consumer may end up ahead or behind financially, depending on the cost of the services that the consumer chooses to use and the negotiated value of the consumer’s data.

A third approach may involve the “data dividend” concept proposed by Governor Newsom. As the concept hasn’t yet been clearly defined, some commentators suggest that this proposal involves individualized payments directly to consumers, while others suggest that payments are to be made into a government fund from which fixed payments would be made to consumers, similar to the Alaska pipeline fund that sought to distribute some of the wealth generated from Alaska’s oil resources to its residents. Given that data has been called the “new oil,” the idea of a data dividend modeled on the Alaska pipeline payments may seem apt, although the analogy quickly breaks down due to the greater difficulty of calculating the value of data.[35] Moreover, commentators have rightly noted that the data dividend paid to an individual is likely to be mere “peanuts,” given the vast numbers of consumers whose information is being used.[36]

Whatever valuation and payment model – if any – might be adopted, it risks devaluing privacy protection. The data dividend concept, as well as the CCPA’s approach to financial incentives, each suggest that the value of a consumer’s personal information is measured by its value to the company.[37] As indicated before, this value may have little correlation with the privacy risks to the consumer.  Though it is commendable that these proposals seek to provide some measure of compensation to consumers, it is important to avoid conflating economic and privacy considerations, and avoid a situation where consumers will be trading away their data or privacy rights.[38] Although societies certainly may decide to require some degree of compensation to consumers as a wealth redistribution measure, it will be important to present this as an economic tool and not as a privacy measure.

 

Closing Thoughts

As the late Giovanni Buttarelli in his final vision statement forewarned, “Notions of ‘data ownership’ and legitimization of a market for data risks a further commoditization of the self and atomization of society…. The right to human dignity demands limits to the degree to which an individual can be scanned, monitored and monetized—irrespective of any claims to putative ‘consent.’”[39]

There are many reasons why societies may seek to distribute a portion of the wealth generated from personal information to the consumers who are the source and subject of this personal information. This does not lessen the need for privacy laws to protect this personal information, however. By distinguishing clearly between economic objectives and privacy objectives, and moving away from consent-based models that fall short of both objectives, we can best protect consumers and their data, while still enabling companies to unlock the benefits of AI and machine learning for industry, society, and consumers.

[1]Lokke Moerel is a Professor of Global ICT Law at Tilburg University and Senior of Counsel at Morrison & Foerster in Berlin. Christine Lyon is partner at Morrison & Foerster in Palo Alto, California.

[2]E. Brynjolfsson & A. McAfee, Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant New Technologies, London: W.W. Norton & Company 2014, which gives a good overview of the friction and disruption that arose from the industrial revolution and how society ultimately responded and regulated negative excesses and a description of the friction and disruption caused by the digital revolution. A less accessible, but very instructive, book, on the risks of digitization and big tech for society is S. Zuboff, The Age of Surveillance Capitalism, New York: Public Affairs 2019 (hereinafter, “Zuboff 2019”).

[3]An exploration of these new issues, as well as proposals on how to regulate the new reality from a data protection perspective, can be found in L. Moerel, Big Data Protection: How to Make the Draft EU Regulation on Data Protection Future Proof(oration Tilburg), Tilburg: Tilburg University 2014 (hereinafter, “Moerel 2014”), pp. 9-13, and L. Moerel & C. Prins, Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things(2016), [ssrn.com/abstract=2784123] (hereinafter, “Moerel & Prins 2016”). On ethical design issues, see J. Van den Hoven, S. Miller & T. Pegge (eds.), Designing in Ethics, Cambridge: CUP 2017 (hereinafter, “Van den Hoven, Miller & Pegge 2017”), p. 5.

[4]L. Vaas, “FTC renews call for single federal privacy law,” Naked Security by Sophos(May 10, 2019), https://nakedsecurity.sophos.com/2019/05/10/ftc-renews-call-for-single-federal-privacy-law/.

[5]Jaron Lanier and E. Glen Weyl, “A Blueprint for a Better Digital Society,” Harvard Business Review(Sept. 26, 2018), https://hbr.org/2018/09/a-blueprint-for-a-better-digital-society.

[6]Zuboff 2019, p. 94, refers to this by a now commonly cited adage, but nuances it by indicating consumers are not the product, but rather “[the objects from which raw materials are extracted and expropriated for Google’s prediction factories. Predictions about our behavior are Google’s products, and they are sold to its actual customers but not to us.”

[7]Angel Au-Yeung, “California Wants to Copy Alaska and Pay People a ‘Data Dividend.’ Is It Realistic?” Forbes(Feb. 14, 2019), https://www.forbes.com/sites/angelauyeung/2019/02/14/california-wants-to-copy-alaska-and-pay-people-a-data-dividend–is-it-realistic/#30486ee6222c.

[8]Cal. Civ. Code § 1798.125(b)(1) (“A business may offer financial incentives, including payments to consumers as compensation for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data”). The California Attorney General’s final proposed CCPA regulations, issued on June 1, 2020 (Final Proposed CCPA Regulations), expand on this obligation by providing that a business must be able to show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. (Final Proposed CCPA Regulations at 20 CCR § 999.307(b).)  The draft regulations also require the business to use and document a reasonable and good faith method for calculating the value of the consumer’s data. Id. 

[9]Moerel 2014, p. 21.

[10]Isobel Asher Hamilton, “Microsoft CEO Satya Nadella made a global call for countries to come together to create new GDPR-style data privacy laws,” Business Insider(Jan. 24, 2019), available at https://www.businessinsider.com/satya-nadella-on-gdpr-2019-1.

[11]L. Moerel, Reflections on the Impact of the Digital Revolution on Corporate Governance of Listed Companies,first published in Dutch by Uitgeverij Paris in 2019, and written in assignment of the Dutch Corporate Law Association for their annual conference, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3519872, at para. 4.

[12]GDPR Art. 6(1): “Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes….”

[13]Cass Sunstein, The Ethics of Influence, Cambridge University Press 2016 (hereinafter: Sunstein 2016), p. 65. .

[14]Yuval Noah Harari, Homo Deus: A History of Tomorrow, Harper 2017(hereinafter: Harari 2017), p. 277.

[15]This is separate from the issue that arises where companies require a consumer to provide consent for use of their data for commercial purposes, as a condition of receiving goods or services (so-called tracking walls and cookies walls). It also may arise if a consumer is required to provide a bundled consent that covers multiple data processing activities, without the ability to choose whether to consent to a particular data processing activity within that bundle. In May 2020, the European Data Protection Board (EDPB) updated its guidance on requirements of consent under the GDPR, now specially stating that consent is not considered freely given in the case of cookie walls, see EDPB Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0, Adopted on May 4, 2020, available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf(EDPB Guidelines on Consent 2020).

[16]This is the field of behavioral economics. See D. Ariely, Predictably Irrational, London: HarperCollinsPublishers 2009 (hereinafter, “Ariely 2009”), at Introduction. For a description of techniques reportedly used by large tech companies, see the report from the Norwegian Consumer Council, Deceived by Design: How tech companies use dark patterns to discourage our privacy rights(June 27, 2018), available at https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf(hereinafter, “Norwegian Consumer Council 2018”). The Dutch Authority for Consumers & Market (ACM) has announced that the abuse of this kind of predictable irrational consumer behavior must cease and that companies have a duty of care to design the choice architecturein a way that is fair and good for the consumer. Authority for Consumers & Market, Taking advantage of predictable consumer behavior online should stop(Sept. 2018), available at https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf.

[17]See Norwegian Consumer Council 2018, p. 19, reference L.M. Holson, “Putting a Bolder Face on Google,” New York Times(Feb. 28, 2009), www.nytimes.com/2009/03/01/business/01marissa.html.

[18]See Van den Hoven, Miller & Pegge 2017, p. 25, where the ethical dimension of misleading choice architecture is well illustrated by giving an example in which someone with Alzheimer’s is deliberately confused by rearranging his or her system of reminders. For an explanation of a similar phenomenon, see Ariely 2009, Introduction and Chapter 14: “Why Dealing with Cash Makes Us More Honest,” where it is demonstrated that most unfair practices are one step removed from stealing cash. Apparently, it feels less bad to mess around in accounting than to steal real money from someone.

[19]Zuboff 2019 convincingly describes that some apparent failures of judgmentthat technology companies’ management regard as misstepsand bugs(for examples, see p. 159), are actually deliberate, systematic actions intended to habituate their users to certain practices in order to eventually adapt social norms. For what Zuboff 2019 calls the Disposition Cycle, see pp. 138-166.

[20]Zuboff 2019 deals extensively with the fascinating question of how it is possible that technology companies got away with these practices for so long. See pp. 100-101.

[21]Moerel & Prins 2016, para. 3.

[22]EDPB Guidelines on Consent, p. 10.

[23]Lokke Moerel, IAPP The GDPR at Two: Expert Perspectives, “EU data protection laws are flawed — they undermine the very autonomy of the individuals they set out to protect”, 26 May 2020, https://iapp.org/resources/article/gdpr-at-two-expert-perspectives/.

[24]U.S. privacy laws require consent only in limited circumstances (e.g., the Children’s Online Privacy Protection Act, Fair Credit Reporting Act, and Health Insurance Portability and Accountability Act), and those laws typically would require a more specific form of consent in any event.

[26]See the following for discussion of why, from an economic perspective, information asymmetries and transaction cost lead to market failure which require legal intervention, Frederik. J. Zuiderveen Borgesius, “Consent to Behavioural Targeting in European Law – What Are the Policy Implications of Insights From Behavioural Economics,” Amsterdam Law School Legal Studies Research Paper No. 2013-43, Institute for Information Law Research Paper No. 2013-02 -(hereinafter: Borgesius 2013), pp. 28 and 37, SSRN-id2300969.pdf.

[28]EDPB Guidelines on Consent, p. 10.

[29]Lanier and Weyl, “A Blueprint for a Better Digital Society,” Harvard Business Review(Sept. 26, 2018).

[30]Andrew Burt, “Privacy and Cybersecurity Are Converging. Here’s Why That Matters for People and for Companies,” Harvard Business Review(Jan. 3, 2019), https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies.

[31]See, e.g., Adam Thimmsech, “Transacting in Data: Tax, Privacy, and the New Economy,” 94 Denv. L. Rev. 146 (2016) (hereinafter, “Thimmsech”), pp. 174-177 (identifying a number of obstacles to placing a valuation on personal information and noting that “[u]nless and until a market price develops for personal data or for the digital products that are the tools of data collection, it may be impossible to set their value”). See also Dante Disparte and Daniel Wagner, “Do You Know What Your Company’s Data Is Worth?” Harvard Business Review(Sept. 16, 2016) (explaining the importance of being able to accurately quantify the enterprise value of data (EvD) but observing that “[d]efinitions for what constitutes EvD, and methodologies to calculate its value, remain in their infancy”).

[32]Thimmsech at 176: “To start, each individual datum is largely worthless to an aggregator. It is the network effects that result in significant gains to the aggregator when enough data are collected. Further complicating matters is the fact that the ultimate value of personal data to an aggregator includes the value generated by that aggregator through the use of its algorithms or other data-management tools. The monetized value of those data is not the value of the raw data, and isolating the value of the raw data may be impossible.”

[33]Moerel & Prins 2016, para. 2.3.2. See also Morozov, Evengy (2013), “To Save Everything Click Here. The Folly of Technological Solutionism,” Public Affairs, whowarns that for pay-as-you-liveinsurance for some people the choice will not be a fully free one, since those on a limited budget may not be able to afford privacy-friendly insurance. After all, it is bound to be more expensive.

[34]Lanier and Weyl, “A Blueprint for a Better Digital Society,” Harvard Business Review(Sept. 26, 2018) (“For data dignity to work, we need an additional layer of organizations of intermediate size to bridge the gap. We call these organizations ‘mediators of individual data,’ or MIDs. A MID is a group of volunteers with its own rules that represents its members in a wide range of ways. It will negotiate data royalties or wages, to bring the power of collective bargaining to the people who are the sources of valuable data….”). Lanier extends this theory more explicitly to personal information in his New York Times video essay at https://www.nytimes.com/interactive/2019/09/23/opinion/data-privacy-jaron-lanier.html. See also Imanol Arrieta Ibarra, Leonard Goff, Eigo Jiminez Hernandez, Jaron Lanier, and E. Glen Weyl, “Should We Treat Data as Labor?: Moving Beyond “Free,” American Economic Association Papers & Proceedings, Vol. 1, No. 1 (May 2018) at https://www.aeaweb.org/articles?id=10.1257/pandp.20181003, at p. 4 (suggesting that data unions could also exert power through the equivalent of labor strikes: “[D]ata laborers could organize a “data labor union” that would collectively bargain with [large technology companies]. While no individual user has much bargaining power, a union that filters platform access to user data could credibly call a powerful strike. Such a union could be an access gateway, making a strike easy to enforce and on a social network, where users would be pressured by friends not to break a strike, this might be particularly effective.”).

[35]See, e.g.,Marco della Cava, “Calif. tech law would compensate for data,” USA Today(Mar. 11, 2019) (“[U]nlike the Alaska Permanent Fund, which in the ’80s started doling out $1,000-and-up checks to residents who were sharing in the state’s easily tallied oil wealth, a California data dividend would have to apply a concrete value to largely intangible and often anonymized digital information. There also is concern that such a dividend would establish a pay-for-privacy construct that would be biased against the poor, or spawn a tech-tax to cover the dividend that might push some tech companies out of the state.”).

[36]Steven Hill, “Opinion: Newsom’s California Data Dividend Idea is a Dead End,” East Bay Times (Mar. 7, 2019) (“While Newsom has yet to release details…the money each individual would receive amounts to peanuts. Each of Twitter’s 321 million users would receive about $2.83 [if the company proportionally distributed its revenue to users]; a Reddit user about 30 cents. And paying those amounts to users would leave these companies with zero revenue or profits. So in reality, users would receive far less. Online discount coupons for McDonald’s would be more lucrative.”).

[37]Cal. Civ. Code § 1798.125(a)(2) (“Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.”). The CCPA originally provided that the difference must be “directly related to the value provided to the consumerby the consumer’s data,” but it was later amended to require the difference to be “directly related to the value provided to the business by the consumer’s data.” (Emphases added.) The CCPA does not prescribe how a business should make this calculation. The Final Proposed CCPA Regulations would require businesses to use one or more of the following calculation methods, or “any other practical and reliable method of calculation used in good-faith” (Final Proposed CCPA Regulations, 20 CCR § 999.307(b)):

[38]See in a similar vein the German Data Ethics Commission, Standards for the Use of Personal Data, Standard 6:6, where it argues that data should not be referred to as a “counter-performance” provided in exchange for a service, even though the term sums up the issue in a nutshell and has helped to raise awareness among the general public. https://www.bmjv.de/SharedDocs/Downloads/DE/Themen/Fokusthemen/Gutachten_DEK_EN.pdf?__blob=publicationFile&v=2.

[39]International Association of Privacy Professionals, Privacy 2030 for Europe: A New Vision for Europe at p. 19, https://iapp.org/media/pdf/resource_center/giovanni_manifesto.pdf.

 

 

 

Remarks on Diversity and Inclusion by Michael McCullough

Last Thursday, June 18, 2020, Macy’s Chief Privacy Officer and FPF Advisory Board member Michael McCullough spoke about diversity and inclusion at WireWheel’s Spokes 2020 conference. 

The Question:

I’ve spoken to each of you about your views on diversity and equality, and about how that’s reflected in our privacy and data protection community. This has been an especially important time for that, but our community needs to help drive on these important issues. How do you think we can do that?

Response:

This is such a soul-crushing topic that we HAVE to tackle and keep tackling and keep talking about. People of conscience and goodwill MUST constantly strive for fairness and egalitarianism in all aspects of our society.

This is /// a painful time for me and so many others… and it’s hard to talk about – certainly in this setting. But I’m going to do it because it matters. And Justin, I appreciate your candor, openness and clear commitment to having these conversations.///

I get asked a lot – personally and professionally: /// “What are you; I mean what’s your background?”/// I respond – generally – cheerfully enough. I am half black and half white. /// But none of that is even close to what I AM. That is the most uninteresting, insipid question ABOUT ME. /// I know most mean no harm – it may be of genuine interest. But it’s really more about the asker, a crutch to know what box to put me in – even if subconsciously. Even if that is not the case, it FEELS like that’s the case.

So…I am black and white. While more and more people today are a mix of some “races,” I grew up with the knowledge that my mere existence was unlawful in some quarters due to anti-miscegenation laws…and you may be surprised to know this repugnant language remained in state constitutions after Loving v Virginia — till 1987 in Mississippi; 1998 in South Carolina and 2000 in Alabama.

Being both black and white I KNOW how hard this topic is. For some white people, there’s guilt and facing up to one’s own prejudices and privileges that are uncomfortable /// or a semblance of shame for feeling they’ve not done enough to be part of the solution, /// and dozens of other discomfiting sensations.

For many black folks, there’s anguish, historical… living history and immediate pain. There’s rage. Productive, real conversations are hard when there is existential pain. And sometimes, at least for me, those conversations feel like bowling for soup and a poultice for someone else’s wound that’s doing just enough for an entry in the CSR (Corporate Sustainability Report). I myself, and so many folks I have talked to, are self-policing on how to even talk about racism and white supremacy (especially in a professional/corporate environment): /// there’s hyper awareness ‘to be measured’ so as not to appear strident and feed into a stereotype (or be cast as too emotive for business). There’s personal risk in this talk.

So, this is my background to answer the question, “how do we think we can drive diversity and inclusion?”

We all know this is an institutional, systemic problem. Structural discrimination doesn’t require conscious racists or sexists. We all know there is no silver bullet. All we can do is start tearing down those institutions, this increasingly colonizing white supremacy sexist archipelago…one brick at a time.

Business efforts have to move from compensatory to reparative. Strategies for Diversity & Inclusion – commitments to reevaluate hiring practices, ensuring diversity in supply chain and vendors — are compensatory. As the adage goes “culture eats strategy for breakfast.” We need to planfully invest in building cultures of fairness and equity.

We are all getting the emails and messaging from companies stating their commitment to optimize diversity and inclusion and their strategies to build an inclusive environment. 130 plus years late – Aunt Jemima is being retired, as are Uncle Ben and Ms. Butterworth. Seriously! It’s 2020. These are major companies. I know they have Equal Opportunity policies and pro-diversity programs…. Something is wrong. Something is very wrong.

Then you have Ben and Jerry’s statement. /// I am shocked and disappointed that their statement entitled “We Must Dismantle White Supremacy: Silence Is NOT An Option” was so shocking. THAT stake in the ground is REPARATIVE. That is a culture bomb. We can no longer just be pro-diversity; pro-fairness; pro-equity; pro-black; pro-women; pro-Jewish or Sikh — we have to become culturally ANTI-RACIST; ANTI-SEXIST; ANTI-DISCRIMINATORY. That semantic difference matters — here’s why:

Relevant to our Worlds and what we control… We are very good at measuring and managing risk. There’s always a balance and certain tolerances – a calculus. But the “purpose” of risk management ultimately is economic and — in quotations “fiduciary.” Within that calculus we are less good at recognizing and accounting for “harms.” /// Bias harms are hard to tease out… and sometimes it is hard to get people to understand why bias harms are bad and should be cured; not managed… this is increasingly true when the “harms” potentially affect “only” small groups or are individualized, which is relevant as we increasingly pursue meaningful personalization. Risk management, we are good at the big stuff; less good at the small stuff. We need to be hyper aware of how we group and categorize “others.” Mere categorization can lead to harm…even if unintentional…(“WHAT ARE YOU, I mean what’s your background”) and especially when profitable, because “racism is productive”. In the obvious and clearly egregious cases, Aunt Jemima and Uncle Ben’s are profitable. /// So, what to do?

We have all had the rousing IT exec that makes a “zero defect environment” a MISSION. Is it achievable? No…. But it gives purpose beyond the traffic-lighting we can get caught up in in the day-to-day. Likewise, we can set a standard as “zero discrimination/zero harm” (zero defect) in our data practices. It gives mission and purpose to what otherwise is simply effective management. This mission can be supported operationally by assurance activities like adding, maintaining and appropriately updating equity analysis for code audits.

Many of the other things we can do have been talked about for years.

Demanding not just diversity on boards, but people with a demonstrated commitment to fairness and equity as a mission. And I mean women, I mean people of color, I mean trans and non-binary people. The co-founder of Reddit stepped down from its board and asked to be replaced by a person of color after recognizing his own white privilege that he had come to recognize due to his marriage to Serena Williams and after having bi-racial children.

Commit to a diverse pipeline and curate talent (so don’t just do executive recruiting at schools, invest in, co-design the programs that teach and build zero discrimination coding and design), /// measure it and seek feedback internally and externally. Defang an inarguably unfair and institutionally white supremacist carceral system by promoting programs and focusing on giving formerly incarcerated a hand up. Go beyond including diverse images in your spaces; seek out and ensure diverse image makers and story tellers are contributing to spaces. Give time, dollars and people to groups that are challenging status quo approaches to tech and be partners in experimentation. Challenge filter bubbles in your own organizations — I’ve seen the breakrooms and lunch halls and all hands meetings. As leaders, seek diversity in your mentorship circle; reverse mentor with diverse people.

We, specifically, have an opportunity as a community NOT to further export existing bias, structural racism and sexism into Code, /// and to begin unwinding and righting that ship, today. This is a singular moment to do that.

I believe that people, especially in this community, are overwhelmingly good and fair – we choose careers that protect people. /// But complacency in the face of complexity and difficulty, no matter how subdermal, is not an option /// – unpacking the non-obvious and finding solutions for the complex and difficult is what we do! /// This (moment; this need) will not pass – we have to reframe and reshape our corporate cultures; we have to be more than allies, but partners in liberation, fairness and equity for all.

Now, I believe deeply in free speech. When I became a Marine, I took an oath to protect and defend the Constitution. I would fight and die to protect 1st Amendment speech I find abhorrent. But racists and sexists should have no harbor in business and we have to do more than just be — PRO. We have to dig in, do the hard work and excise the business pro-ductivity of sexism and racism.

Finally, I just read a book with Future of Privacy Forum called “Race After Technology: Abolitionist Tools for the New Jim Code” by Princeton Sociologist Ruha Benjamin. She goes deep into the structures and encoding of white supremacy, the way that it infects CODE, and how “racism is productive.” It’s revelatory and worth the read to at least spark the imagination for “what can we do” (and “who do we want to BE”).

Postscript:

If you found my comments compelling in any way, I urge you to read Ruha’s book and the work of the many scholars illuminating the historical contexts, costs and caustic impacts of white supremacy and racism on our society today. I urge you to really listen to and co-imagine reshaping company cultures with your colleagues who bring life experience with racism and bias to the workplace. I urge all of us to reflect on our own roles and opportunities to harness this moment to drive critical change.

Michael ‘Mac’ McCullough is the Chief Privacy Officer and GRC Leader at Macy’s, a former Marine, and a member of the FPF Advisory Board. These remarks were delivered in his personal capacity and are shared here to mark Juneteenth. The remarks are lightly edited.

Juneteenth

FPF is closed for Juneteenth as our staff reflects on both the history and current state of racism in America.  Our social media accounts will be silent, other than to elevate voices that can help us learn and take action on issues such as equity and inclusion.

In that spirit, we would like to call attention to the work of Professor Ruha Benjamin and her book Race After Technology: Abolitionist Tools for the New Jim Code. The FPF Privacy Book Club was honored to learn from Professor Benjamin this week and we invite you to watch the video and order her book. We found it to be a thought-provoking commentary on how emerging technologies can reinforce white supremacy and deepen social inequity. We would also like to call attention to 15+ Books by Black Scholars the Tech Industry Needs to Read Now, posted by the Center for Critical Internet Inquiry at UCLA.

Supreme Court Rules that LGBTQ Employees Deserve Workplace Protections–More Progress is Needed to Combat Unfairness and Disparity

Authors: Katelyn Ringrose (Christopher Wolf Diversity Law Fellow) and Dr. Sara Jordan (Policy Counsel, Artificial Intelligence and Ethics)

Today’s Supreme Court ruling in Bostock v. Clayton County—clarifying that Title VII of the Civil Rights Act bans employment discrimination on the basis of sexual orientation and gender identity—is a major victory in the fight for LGBTQ civil rights. Title VII established the Equal Employment Opportunity Commission (EEOC), and bans discrimination on the basis of sex, race, color, national origin and religion by employers, schools, and trade unions involved in interstate commerce or those doing business with the federal government. Today’s 6-3 ruling aligns with Obama-era protections, including a 2014 executive order extending Title VII protections to LGBTQ individuals working for the federal contractors. 

In this post, we examine the impact of today’s decision, as well as (1) voluntary anti-discrimination efforts adopted by companies for activities not subject to federal protections; (2) helpful resources on the nexus of privacy, LGBTQ protections, and big data; and (3) the work FPF has done to identify and mitigate potential harms posed by automated decision-making. 

In Bostock, the Supreme Court determined that discrimination on the basis of sexual orientation or transgender status are forms of sex discrimination, holding: “Today, we must decide whether an employer can fire someone simply for being homosexual or transgender. The answer is clear. An employer who fires an individual for being homosexual or transgender fires that person for traits or actions it would not have questioned in members of a different sex. Sex plays a necessary and undisguisable role in the decision, exactly what Title VII forbids.” 

Bostock resolved the issue through analysis of three cases:

“Today is a great day for the LGBTQ community and LGBTQ workers across the nation. The United States Supreme Court decision could not have come at a better time given the current COVID-19 crisis and the protests taking place across the country. However, there still remains much work to be done, especially around the areas of data and surveillance tools. The well-documented potential for abuse and misuse of these tools by unregulated corporations as well as government and law enforcement agencies should give serious pause to anyone who values their privacy–especially members of communities like ours that have been historically marginalized and discriminated against,” says Carlos Gutierrez, Deputy Director & General Counsel of LGBT Tech. “Today’s decision will protect over 8 million LGBT workers from work discrimination based on their sexual orientation or gender identity. This is especially heartening given that 47% or 386,000 of LGBTQ health care workers, people on the frontlines of the COVID-19 battle, live in states that had no legal job discrimination protections.” 

We celebrate today’s win. However, it is now more critical than ever to address data-driven unfairness that remains legally permissible and harmful to the LGBTQ community. 

Bostock should also influence a range of anti-discrimination efforts. In recent years, many organizations have engaged in various efforts to combat discrimination even when their activities are not directly regulated by the Civil Rights Act. When implementing such anti-discrimination programs, organizations often look to the Act to identify protected classes and activities. Bostock provides clarity — organizations  should include sexual orientation and gender identity in the list of protected classes even if their activities wouldn’t otherwise be regulated under Title VII. 

Anti-Discrimination Efforts //

Title VII of the the Civil Rights Act has historically barred discrimination on the basis of sex, race, color, national origin and religion; the Civil Rights Act, including Title VII, is the starting point for anti-discrimination compliance programs. Even companies that do not have direct obligations under the Act (including ad platforms) have utilized the Act to guide their anti-discrimination efforts (see the Network Advertising Initiative’s Code of Conduct). According to the Human Rights Campaign, the number of Fortune 100 companies that have publicly pledged to non-discrimination employment policies on the basis of gender identity increased from 11% (gender identity) and 96% in 2003 (sexual orientation) to 97% and 98% respectively by 2018. 

We caution that simply not collecting or ignoring sensitive information will not always be a solution that ensures discrimination is avoided. Even without explicit data, proxy information can reveal sensitive information. Furthermore, in order to assess whether protected classed are treated unfairly, it will sometimes be important to collect information that can identify discrimination. While sensitive data collection has its benefits and risks, the lack of data available to researchers can mean that policymakers do not have the information necessary to understand disparities in enough depth to create responsive policy solutions.

Helpful Resources // 

Unfairness by Algorithm //

While discriminatory decisions made by a human are clearly regulated, the full range of potentially discriminatory decisions made by a computer are not yet well understood. Yet algorithmic harms may be similarly pernicious, as well as more difficult to identify or amenable to redress using available legal remedies.

In a 2017 Future of Privacy Forum report, Unfairness by Algorithm: Distilling the Harms of Automated Decision Making, we identified four types of harms—loss of opportunity, economic loss, social detriment, and loss of liberty—to depict the various spheres of life where automated decision-making can cause injury. The report recognizes that discriminatory decisions and resulting unfairness as determined by algorithms can lead to distinct collective and societal harms. For example, use of proxies, such as “gayborhood” ZIP codes in algorithms or resume clues regarding LGBTQ community activism, can lead to employment discrimination and result in the same differential access to job opportunities. 

As organizations commit to LGBTQ protections, an adherence to data protection and fairness principles are one way to battle systemic discrimination. These principles include ensuring fairness in automated decisions, enhancing individual control of personal information, and protecting people from inaccurate and biased data. 

Conclusion //

Today’s decision regarding workplace protections could not be more welcome, particularly now as data from the Human Rights Campaign shows that 17% of LGBTQ people and 22% of LGBTQ people of color have reported becoming unemployed as a result of COVID-19. However, the fight for inclusivity and equality does not stop with law and legislation. Further work is necessary to ensure that data-driven programs uncover and redress discrimination, rather than perpetuate it.

Associated Press: Schools debate whether to detail positive tests for athletes

In a recent article published by the Associated Press in The Washington Post and The New York Times, the Future of Privacy Forum warns of the privacy risks of sharing information about positive COVID-19 tests among students, particularly student athletes who have already returned to campus to prepare for the upcoming sports season. Read an excerpt below and see the full article here.

Athletic programs sometimes avoid making formal injury announcements, citing the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA). Both are designed to protect the privacy of an individual’s health records. The U.S. Education Department issued guidelines in March that said a school shouldn’t disclose personal identifiable information from student education records to the media even if it determines a health or safety emergency exists.

But is merely revealing a number going to enable anyone to identify which athletes tested positive? That’s up for debate.

Amelia Vance is the director of youth and education privacy at the Future Privacy Forum, a think tank dedicated to data privacy issues. Vance believes releasing the number of positive tests effectively informs the public without sacrificing privacy.

Vance said disclosing the number of positive tests for a certain team would help notify members of the general public who may have come into contact with the athletes and could serve as a guide to those schools that haven’t welcomed students back to campus yet.

“If you’re saying six students tested positive or a student was exposed and therefore we’re having the whole team tested or things like that, that wouldn’t probably be traced back to an individual student,” Vance said. “Therefore, neither (FERPA or HIPAA) is going to apply, so any claim that privacy laws wouldn’t allow that disclosure would be disingenuous.

“The key there is to balance the public interest with the privacy of the students,” she said. “Most of the time, the information colleges and universities need to disclose don’t require the identification of a particular student to the press or general public.”

Read the article here.

TEN QUESTIONS ON AI RISK

Gauging the Liabilities of Artificial Intelligence ​Within​ Your Organization

Artificial intelligence and machine learning (AI/ML) generate significant value when used responsibly – and are the subject of growing investment for exactly these reasons. But AI/ML can also amplify organizations’ exposure to potential vulnerabilities, ranging from fairness and security issues to regulatory fines and reputational harm.

Many businesses are incorporating ever more machine-learning based models into their operations, both on the backend and in consumer facing contexts. For those companies who are not developers of these systems themselves, but who use these systems, they assume the responsibility of managing, overseeing, and controlling these algorithmically-based learning models, in many cases without extensive internal resources to meet the technical demands they incur.

General application toolkits for this challenge are not yet broadly available, and to help fill that gap while more technical support is developed, we have created a checklist focused on asking questions to carry out sufficient oversight for these systems. The questions in the attached checklist – “Ten Questions on AI Risk” – are meant to serve as an initial guide to gauging these risks, both during the build phase of AI/ML endeavors and beyond.

While there is no “one size fits all” answer for how to manage and monitor AI systems, these questions will hopefully provide a guide for companies using such models, allowing them to customize the questions and frame the answers in contexts specific to their own products, services, and internal operations. We hope to build on this start and offer additional, detailed resources for such organizations in the future.

The attached document was prepared by bnh.ai, a boutique law firm specializing in AI/ML analytics, in collaboration with the Future of Privacy Forum.

Polonetsky: Are the Online Programs Your Child’s School Uses Protecting Student Privacy? Some Things to Look For

Op-ed by Future of Privacy Forum CEO Jules Polonetsky published in The74.

As CEO of a global data protection nonprofit, I spend my workdays focused on helping policymakers and companies navigate new technologies and digital security concerns that have emerged in the wake of the COVID-19 pandemic.

Meanwhile, my children have adopted many of these technologies and are participating in online learning via Zoom and dozens of other platforms and apps — some of which have sparked serious concerns about student privacy and data security in the classroom.

These things are not contradictory. Here’s why.

Specific laws have been put in place to protect especially sensitive types of data. Your doctor uses services that safeguard your health information, and your bank relies on technology vendors that agree to comply with financial privacy laws.

Similarly, as the use of technology in the classroom skyrocketed in the past decade, federal and state laws were established that require stringent privacy protections for students.

To comply, many general consumer companies like Google, Apple and Microsoft developed education-specific versions of their platforms that include privacy protections that limit how they will use student information. School districts set up programs to screen ed tech software, even though few of the new laws came with funding.

But many of these federal and state protections apply only to companies whose products are designed for schools, or if schools have a privacy-protective contract with vendors. As schools rushed to provide distance learning during their coronavirus shutdowns, some of the tools adopted were not developed for educational environments, leaving children’s data at risk for sale or marketing uses.

If your child’s school has rolled out new technology platforms for online learning, there are important steps you can take to determine whether the tool includes adequate safeguards to protect student privacy. First, ask whether your school has vetted the company or has a contract in place that includes specific limitations on how student information can be used. Don’t hesitate to ask your child’s teacher to explain what data may be collected about your child and how it will be used — you have a right to this information.

Second, check to see if the company has signed the Student Privacy Pledge, which asks companies that provide technology services to schools to commit to a set of 10 legally binding obligations. These include not selling students’ personal information and not collecting or using students’ personal information beyond what is needed for the given educational purposes. More than 400 education technology companies have signed the pledge in recent years, so this can be a quick resource for identifying businesses that have demonstrated a commitment to ensuring that student data are kept private and secure.

Most importantly, take time to review each program’s privacy settings with your child and have an honest discussion about behavior online. Even the strictest privacy controls can’t always prevent a student from disrupting class by making racist remarks in the chat or sharing the link or log-in credentials. I hate to load another burden on parents who are trying to work from home, but making sure your kid isn’t an online troll is partly on you.

Now more than ever, we are relying on technology to keep in touch with work, school, and friends and family. It hasn’t been — and will never be — perfect. Policymakers can help schools ensure that the technologies they use meet privacy and security standards by providing the resources for schools to employ experts in those fields.

As we all try to adjust to this new normal, we should embrace technologies that can add value to students’ educational experience, enhance our ability to work remotely and help us stay connected. But we must first make sure the appropriate safeguards are in place so privacy and security don’t fall by the wayside.

Jules Polonetsky is the CEO of the Future of Privacy Forum, a Washington, D.C.-based nonprofit that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Previously, he served as chief privacy officer at AOL and DoubleClick, as New York City consumer affairs commissioner, as a New York state legislator, as a congressional staffer and as an attorney.

A Landmark Ruling in Brazil: Paving the Way for Considering Data Protection as an Autonomous Fundamental Right

Authors: Bruno Ricardo Bioni and Renato Leite Monteiro

A historic ruling of the Brazilian Supreme Court from May 07, 2020 describes the right to data protection as an autonomous right stemming from the Brazilian Constitution. By a significant majority, 10 votes to 1, the Court halted the effectiveness of the Presidential Executive Order (MP[1] 954/2020) that mandated telecom companies to share subscribers’ data (e.g., name, telephone number, address) of more than 200 hundred million individuals with the Brazilian Institute of Geography and Statistics (IBGE), the country’s agency responsible for performing census research. More important than the decision itself was its reasoning, which paves the way for recognizing the protection of personal data as a fundamental right, independent of the right to privacy, that already receives such recognition, in a similar fashion to the Charter of Fundamental Rights of the European Union. This article summarizes the main findings of the ruling. First, (1) it will provide background on the role of the Brazilian Supreme Court and the legal effects of the ruling. It will then look into (2) the facts of the case, (3) the main findings of the Court, to conclude with (4) an analysis of what comes next for the Brazilian data protection and privacy law. 

  1. The role of the Supreme Court and its rulings in the Brazilian legal system

The Brazilian legal system resembles the federative structure of the country. Each state has its own lower courts and appeal bodies. At the federal level, there are also lower courts and appeal bodies with specific scope, such as labor law, cases with international effects or lawsuits against federal agencies. On top of that there are superior courts also with specific scope, such as specific violations of federal laws. 

At the top of the system sits the Brazilian Supreme Court (STF), a constitutional court of eleven Justices appointed by the President. With few exceptions, only extraordinary cases which directly violate the federal constitution, e.g. violation of fundamental rights, reach the court and its rulings can have binding effects upon all other levels of the Brazilian legal system, depending on the type of proceeding or effects granted by the Justices. 

One particular type of proceeding, known as Direct Action of Unconstitutionality (ADI), can be filed directly to the Supreme Court without the need to be discussed on lower-level courts or any other court in cases in which laws or norms directly violate the constitution. Rulings from this particular type of proceedings have nationwide binding effects for all entities of the three branches of the government and for private organizations. This was the type of proceeding filed at STF to discuss data protection as an autonomous fundamental right. Its ruling, therefore, will have overall binding effects. 

  1. Facts of the case and proceedings

Due to social distancing measures adopted in response to the COVID-19 pandemic, staff of the Brazilian Institute of Geography and Statistics (IBGE) is not able to visit citizens in order to conduct face-to-face interviews for the statistical research necessary to perform the national census, known as National Household Sample Survey (PNAD). This is the context behind the Presidential Executive Order 954/2020 (MP), which aimed to allow the IBGE to carry out its census research through telephone interviews. In other words, the declared purpose was to avoid a “statistical blackout”. 

The telephone interviews presupposed to collect data regarding various socioeconomic characteristics, such as population, education, work, income, housing, social security, migration, fertility, health, nutrition, among other topics that can be included in the research according to the information needs of Brazil, e.g., behavior data on the context of the pandemic. These interviews have always been conducted in person on a sample of 70 thousand households that were a statistical representation of the Brazilian population. However, the MP mandated that subscribers data of 200 million telecom clients should be shared with IBGE to perform the census. At a first glance, the first question brought to the Court’s attention was: why is personal data of so many citizens necessary to achieve the same purpose that used to be achieved in the past with fewer information?

 The issue was raised by four different political parties and the national bar association that filed five ADI upon the STF to discuss violations to the fundamental right to privacy, expressly granted by Art. 5, X, of the Federal Constitution, and to the right to secrecy of communications data, provided by Art. 5, XII. In previous case-law, the Court struggled to recognize stored data, such as subscribers data, as data protected by Art. 5, XII. Long standing precedents only granted such type of protection to data in motion, like ongoing telephone calls or data being transmitted. Acknowledging the need to update this understanding in light of new technologies and the impact that the misuse of data can have upon individuals and the society, another argument was presented: the need to recognize the right to protect personal data as an autonomous fundamental right.    

When the ADIs were filed, Justice Rosa Weber, Rapporteur of the case, granted an injunction order suspending the effects of the MP until it was further discussed by all Justices, identifying probable violations of the aforementioned constitutional rights, also arguing that despite the pandemic we are living in there was no public interest to share personal data of 200 million people to undergo the desired public policy.  

The trial in front of the eleven Justices started on May 6, with the participation of the parties’ lawyers and of amici curiae, including Data Privacy Brasil. The organisation filed an amicus brief and it was represented for the oral statement by its Director Bruno Ricardo Bioni (a co-author of this article), who spoke at length about the singular position of the right to protection of personal data, its status as an autonomous fundamental right, the many vices of the executive order and the current data protection landscape in Brazil, including the fact that the Brazilian General Data Protection Law (LGPD) is still in vacatio legis. He also reminded the Court that the national data protection authority, which will provide guidance and enforcement, is yet to be established. The English translation of the oral statement is available online.

  1.  Main findings of the Court

Historically, the STF has ruled solely based on the right to privacy and, most importantly, following the legal rationale of this fundamental right by which only private/confidential data should be protected. In the case RE 601314, the Court ruled that the Brazilian Federal Revenue Office (the Brazilian IRS) could have access to financial data from Banks without a court order. According to the Court, the data would remain confidential since only IRS’s staff would have access to the data, and they should abide by their severe informational fiduciary duties. Moreover, such data did not comprise sensitive (‘intimate’) information about individuals (e.g. religion, family relationships) and, therefore, requests to access data from the IRS would not disproportionately interfere on the right to private life. In the case RE 1055941, the same reasoning was adopted in order to grant similar data access request powers to the Public Prosecutor’s Office.  

The new precedent of the Supreme Court is such a remarkable shift of how the Court has been analyzing privacy and data protection because it changes the focus from data that is secret to data that is attributed to persons and might impact their individual and collective lives, regardless of whether they are kept in secrecy or not. There is no more irrelevant data. Justice Carmen Lucia argued that the world that we used to live in, where personal data was freely available in telephone catalogs without substantial risks, does not exist anymore. In this sense, the Brazilian Federal Constitution protects not only confidential data, but all and any type of data that can be deemed as an attribute of the human personality. The best example is the habeas data, a procedural constitutional right by which any person has the right to know what information organizations hold about them, as it was argued by Justice Luix Fuz, recalling a precedent of the Supreme Court (Extraordinary Appeal 673.707). The habeas data constitutional right, originally conferred only against public organizations, is a reminiscence of dictatorial times in Brazil and throughout Latin America, when information about citizens was kept in secrecy by the government and used to suppress the population. This provision can now be used to retrieve personal data held by private entities, as long as the databases at issue are of public interest, such as consumer protection databases managed by data brokers.  

If the Brazilian Constitution’s core value is the protection of human dignity, the protection it affords should go beyond the right to privacy in order to address other harmful challenges to an individual’s existence, and not only harms to personality rights. Today, humanity can be hacked not only through granting access to data regarding our intimacy, or aspects of human personality that must be locked under seven keys. Recalling the work of philosopher Yuval Harari, Justice Gilmar Mendes argued that due to technological progress, any type of data use that covers an extension of our individuality can pose a threat to human rights and fundamental freedoms. For this reason Justice Fux argued that just like the Charter of Fundamental Rights of the EU, the Brazilian Constitution should recognize the protection of personal data as an autonomous fundamental right, distinct from the right to privacy.

The Cambridge Analytica scandal was recalled by Justice Luiz Fux to contextualize the collective dimension of data protection rights. By describing the facts surrounding that case, the Justice highlighted how the misuse of personal data can have an impact that surpasses the individual and can affect the very foundations of democracies and influence electoral outputs. “We know today that the dissemination of this data is very dangerous”, affirmed Justice Fux, reminiscing of his term as President of the Superior Electoral Court, when he analyzed a case concerning lack of transparency and knowledge of how personal data is collected and used for political purposes, which can lead to unattended consequences that violate individual and collective rights.

If the mere processing of personal data can pose risks over the rights of individuals, it should be backed by appropriate safeguards in order to manage potential harmful effects. Thus, protection of personal data should receive the same protection conferred by the due process clause. It is the type of protection that takes into consideration that there are risks to public liberties associated with the mere processing of data that is linked to a person, as argued by Justice Gilmar Mendes, quoting Julie Cohen and her work on informational due process. 

“The use of personal data is inevitably an interference over the personal sphere of someone”, highlighted Justice Luis Roberto Barroso. As a  consequence, it should be proportionate by verifying if: 

  1. a) the purpose of the processing is clearly specified and legitimate; 
  2. b) the amount of data collected is limited to what is strictly necessary in relation to the purposes for which they are being processed; 
  3. c) information security measures are adopted to avoid unauthorized third-party access. 

Such proportionality test was the conclusion made by Justice Luis Roberto Barroso, which is clearly crafted after the traditional principles of protection of personal data. For the first time, a Judge of the Supreme Court has provided a ruling with such strong wording supporting fair information practice principles as components of an autonomous constitutional right to data protection. 

In addition, another landmark case was initiated by the STF two weeks later, with two judges already publishing their opinions. The main question in this second case is whether Internet platforms could implement encryption technology to the level that it could limit and even avoid the access of law enforcement authorities to data stored or in transit necessary to investigate crimes. Again, the proceeding ADPF 403, known as Request of Non-Compliance with Basic Constitutional Principles (ADPF), that has the same effects of ADIs, discussed the violation of the fundamental rights to privacy and secrecy of communication data. “Digital Rights are Fundamental Rights”: with this strong affirmation, Justice Edson Facchin, the rapporteur, gave his vote ruling out any interpretation of the constitution that would allow a court order to provide exceptional access to end-to-end encrypted message content or that, by any other means, weakens the cryptographic protection of internet applications. Justice Rosa Weber highlighted in her ruling that “the past 3 decades have been an arms race of protection technologies and privacy violations. The law cannot be ignored and must preserve the balance between privacy and the proper functioning of the State”. She also stated that “cryptography, as a technological resource, has taken on special importance in the implementation of human rights”.  

The case is still under ongoing proceedings and pending the votes of the other 9 Justices. Nonetheless, the two opinions already published are a breakthrough and show a steep change in the perception and understanding of Brazil’s highest court towards privacy and data protection rights. 

  1. A look to the future: the Brazilian General Data Protection Law and the amendment to the Brazilian Constitution

Despite this historical ruling, Brazil still lacks an institutional infrastructure to supervise and enforce data protection rights. The National Data Protection Authority was created by the Brazilian General Data Protection Law (“LGPD”), but is yet to be established. LGPD was approved in 2018, with an initial adaptation period of 18 months, which was soon amended to be increased by 6 months, leaving the effective date to August 2020. In parallel, a proposal to amend the Federal Constitution aims to include the protection of personal data in the list of fundamental rights. The proposal was unanimously approved by the Senate and by a special parliamentary commission of the House of Representative. Now it needs to be approved by two-thirds of this house. 

Now, due to the COVID-19 pandemic, a new bill and another executive order aim to postpone the entering into force of the LGPD to 2021. The bill was already voted by both the Senate and the House of Representatives and it is now to Presidential confirmation. If ratified as it is, the new law would keep the effective date to August 2020. However, it would amend LGPD to allow penalties and enforcement actions only to August 2021. In parallel, a presidential executive order already amended LGPD to change the effective date to May 2021. Nevertheless, this order needs to be approved by the Congress until July this year, what is unlikely to happen due to disputes between the two branches. That said, we can end up not knowing until July when the law will be in effect, one month before its original and possible date. On top of that, the National Data Protection Authority (ANPD), created in Dezember 2018, is yet to be established. Therefore, we can end up in twilight zone with no knowledge what may take place.

What is remarkable is that until the bill to amend the constitution is not adopted, which may not happen in the near future due to political unrest, this ruling of the Brazilian Supreme Court already paves the way to recognize the right to data protection in practice. 

 

About the authors:

Bruno Ricardo Bioni is a PhD candidate at University of São Paulo School of Law. He was a study visitor at Council of Europe/CoE and at the European Data Protection Board/EDPB. Founder of Data Privacy Brasil; Contact: [email protected].

Renato Leite Monteiro is a PhD candidate at the University of São Paulo School of Law. He was a study visitor at Council of Europe and actively participated in the discussions that led to the Brazilian General Data Protection Law. Founder of Data Privacy Brazil; Contact: [email protected]

Data Privacy Brasil  is a non-governmental organization with two operational branches: Data Privacy Brasil School, which provides training services and privacy courses, and the Research Association Data Privacy Brasil, which  focuses  on the research of the interconnection between protection of personal data, technology and fundamental rights. Data Privacy Brasil aims to improve privacy and data protection capacity-building for organizations active in Brazil. 

[1] MP- Brazilian abbreviation for Provisional Measure which is a legal act in Brazil through which the President can enact laws for 60 days without approval by the National Congress.

Endgame Issues: New Brookings Report on Paths to Federal Privacy Legislation

Authors: Stacey Gray, Senior Counsel (US Legislation and Policymaker Education), Polly Sanderson, Policy Counsel

 

This afternoon, The Brookings Institution released a new report, Bridging the gaps: A path forward to federal privacy legislation, a comprehensive analysis of the most challenging obstacles to Congress passing a comprehensive federal privacy law. The report includes a detailed range of practical recommendations and options for legislative text, the result of work with a range of stakeholders to attempt to draft a consensus-driven model privacy bill that would bridge the gaps between sharply divided stakeholders (read the full legislative text of that effort here). 

Among the legislative options for issues that will have to be addressed to pass a federal privacy law, the report explores: endgame issues (including preemption and enforcement), hard issues (such as limits on processing of data, civil rights, and algorithmic decision-making), solvable issues (such as covered entities, data security, and organizational accountability), and implementation issues (such as notice, transparency, and effective dates). 

Below, we discuss how the Brookings report addresses the two “endgame issues,” enforcement and preemption, in a path towards federal privacy legislation. We agree that these are endgame issues given that neither is optional–both topics must be addressed in any federal privacy law–and because they are issues on which lawmakers on both sides of the aisle (and more broadly, industry and privacy advocates) remain the most deeply divided.

Enforcement

Any meaningful federal law must contain provisions for its enforcement. However, there is considerable disagreement regarding how a privacy law should be enforced. Enforcement mechanisms can vary widely, from agency enforcement (by the Federal Trade Commission or another federal agency), to state law enforcement (such as Attorneys General), to various kinds of private rights of action (by which individuals can challenge violations in court).

A number of Senate and House Democrats and privacy advocates are proponents of a federal private right of action (usually in addition to federal agency enforcement). Many privacy advocates observe that private litigation has played an important role in enforcing federal civil rights laws. They have also expressed concerns that a federal agency will not have sufficient resources, political will, or incentives to adequately enforce the law, for example, when a violation involves harm to only one or a few individuals. Read more from advocates:

In contrast, most tech and business groups, and many Republicans, have expressed support for the more centralized enforcement authority of the Federal Trade Commission. Typically, they observe that data privacy harms can be difficult to define and measure, and argue that centralized enforcement would provide needed clarity and legal certainty to businesses and consumers around a consistent national standard. Business stakeholders also tend to cite concerns over contingency-based class action litigation, including risks to small businesses and financial incentives for meritless litigation. Read more from tech and business groups:

The Brookings proposal suggests a potential compromise: a tiered and targeted private right of action. Recovery would typically be limited to “actual damages,” but would impose statutory damages of up to $1000 per day for “wilful or repeated violations.” Specified harms under the duty of care would not be subject to a heightened standard, while other violations would require individuals to show a “knowing or reckless” violation to sue. Technical violations only give rise to suit if they were “wilful or repeated.” Importantly, potential plaintiffs would also be required to exercise a “right of recourse” before bringing a suit. This approach would give covered entities an opportunity to receive notice and cure the violation, and individuals a way to address privacy disputes outside the courts. 

Preemption

When Congress passes a federal privacy law, lawmakers must decide to what extent it will “preempt,” or nullify, current and future state and local privacy and data protection laws. Given the nature of modern data flows, most companies see clear benefit in uniform obligations across state lines and for consumers to have a core set of common rights. However, some argue that privacy can also have a uniquely local character, and note that state legislators have been at the forefront of many novel privacy protections, including in response to crises or rapid technological changes. 

The Brookings report proposes several potential compromises to attempt to bridge the gaps between the broad preemption in Senator Wicker (R-MS)’s staff discussion draft and the narrow preemption provisions in most Democratic bills, including Senator Cantwell’s Consumer Online Privacy Rights Act (COPRA). The report suggests preempting state laws only where they interfere with federal provisions specifically related to data collection, processing, transfers, and security. It also recommends that the Federal Trade Commission be authorized to preempt any state law inconsistent with the federal standard, and suggests a limited eight-year sunset clause on preemption.

Looking Ahead

We are optimistic that this new report from The Brookings Institution will be a source of thoughtful debate, and help stakeholders advance the conversation about these contentious issues. In addition to the difficult “endgame” issues of enforcement and preemption, the report identifies a detailed and wide range of other solvable issues having to do with implementation or operational issues on which there is broad agreement. As a result, it provides a highly practical starting point for stakeholders to engage around key issues that will need consensus.

The report observes that its recommendations “will not satisfy maxialists on either side of the debate” but that it may address “legitimate interests of divergent stakeholders.” Indeed, both sides have something to gain from striking a balance – and we agree that “both have something to lose from continued inaction and stalemate.”