On October 1st 2020, the Millennial Action Staff Association (MASA) hosted a webinar “Data Privacy, Where Do We Go From Here?” featuring a moderated discussion with Professor Laura Moy, Director of Georgetown University Law Center’s Communications & Technology Law Clinic & Associate Director of the Center on Privacy & Technology, and Shane Tews, Visiting Fellow at the American Enterprise Institute, where she works on international communications, technology, and cybersecurity issues, including privacy, internet governance, data protection, 5G networks, and artificial intelligence; Ms. Tews is also president of Logan Circle Strategies.
The conversation began with a reflection on the current data privacy debate in Congress and discussion of where each panelist thinks the conversation is headed moving into the next Congress. Specifically, Professor Moy and Ms. Tews discussed their thoughts on what the scope of federal data privacy legislation should be, what questions need to be considered and addressed by policymakers, and what impact recent international and state data privacy legislation should have on federal lawmakers.
Professor Moy began by highlighting poll data from the Pew Research Center indicating that 75% of Millennials think there should be more regulation on data privacy. Despite this finding, Millennials are also more likely than their older counterparts to be accepting of data usage with positive social impacts, such as monitoring for signs of depression or for risks of self-harm. The findings indicate, according to Professor Moy, that young people are proponents of data being used to benefit others and society at large.
Professor Moy also focused on the important issue of discrimination, namely that data used to target content to certain demographics can lead to the siloization of career opportunities, inhibit intergoup communication, and otherwise perpetuate existing biases. Professor Moy mentioned studies that show ads on Facebook tend to display particular content to certain racial groups, which is an efficient way to distribute content but can easily result in discriminatory effects. Professor Moy made clear that policymakers can prohibit discriminatory data practices by including robust controls of data usage in any agreement. Prohibiting platforms like Facebook or Twitter from selling data collected on users to third parties without explicit consent, and limiting the uses of user data internally on these platforms are options policymakers can pursue.
Lastly, Professor Moy touched on two major issues that are currently addressed differently in proposed GOP and Democratic legislation: preemption and private right of action. Preemption refers to whether federal law will take precedence over existing state laws, and private right of action is defined as the right of private parties to bring a civil lawsuit for violations of data protections. Professor Moy contended that the GOP legislation, offered by Senator Roger Wicker (R-MS) is too broad on the issue of preemption and would eliminate the state's ability to craft more robust privacy protections.
Ms. Tews, in turn, emphasized the overarching need for transparency, accountability, and consistency in any federal data privacy legislation. Ms. Tews explained that by focusing on embedding these three qualities into data privacy regulation, federal lawmakers can avoid the implementation and compliance pitfalls experienced in the aftermath of other data privacy legislative action. Referencing the California Consumer Privacy Act as an example, Ms. Tews explained that the expansive act clearly possessed the right spirit in attempting to define data privacy protocols, but the scope and complexity of the bill have led to myriad compliance uncertainties.
Similarly, according to Ms. Tews, enforcement of the European Union’s General Data Protection Regulation has opened consequential new questions about international transfers and uses of data. Citing Schrems I & II, Ms. Tews explained how the compliance scope of GDPR remains unsettled, creating an environment of prolonged uncertainty for businesses. The Schrems saga continues to shape data privacy praxis in real time; the initial case involved an EU citizen, Schrems, challenging the validity of Facebook’s transfer and use of data from the EU to the United States in a suit that found its way to the Court of Justice of the European Union and ultimately narrowed justifiable trans-Atlantic data transfers. Schrems II was a reformulated challenge by the same plaintiff that culminated in a July 2020 ruling that all companies collecting or using EU citizens' data must make their own determination as to whether other countries in which that data will be used or shared adequately protect data up to GDPR standards. The rulings have been lauded as victories by many privacy advocates, yet they also jeopardize substantial revenue streams for certain businesses and have effectively outlawed some common practices overnight with very little compliance guidance. In response, Facebook suggested they may suspend operations in the EU.
Finally, one of Ms. Tews' strongest points consisted of urging lawmakers to avoid embedding current technology in legislation because technology changes so quickly, often with unforeseen consequences. Ms. Tews, in turn, emphasized the importance of legislating outcomes—focusing on embedding clearly defined values into the regulatory ecosystem—and making the terms of use and privacy rights as simple and easy to understand as possible for consumers.
The webinar concluded with Q/A from the virtual audience. Both panelists agreed on the need for increased resources, funding, and staff for the Federal Trade Commission in order to effectively enforce current and future data protection laws and regulations. Professor Moy and Ms. Tews both agreed that expanding the FTC’s direct supervisory authority should be a priority, however Professor Moy suggested such responsibilities might be better handled by an independent data protection authority, such as the EU's Data Protection Authorities. Regardless of the ultimate enforcement authority, both panelists agreed on the need to enhance federal capacity to penalize companies and actors that violate data protection regulations which will increase consumer confidence and improve compliance with new laws. On this point, Professor Moy shared that the FTC currently lacks resources to conduct effective 6(b) studies—wide-ranging audits of data protocols that do not have a specific law enforcement purpose but that can uncover unlawful behavior. Professor Moy and Ms. Tews left the audience with a stronger understanding of the issues and questions facing policymakers over federal data privacy legislation and what challenges need to be addressed in order to achieve uniform and enforceable federal data privacy legislation.