Law in the Internet Society

View   r5  >  r4  ...
AllysonChavezSecondEssay 5 - 06 Feb 2024 - Main.AllysonChavez
Line: 1 to 1
 
META TOPICPARENT name="WebPreferences"
Changed:
<
<
-- AllysonChavez - 11 Dec 2023
>
>

We Need a Federal Online Privacy Regulatory Framework

 
Deleted:
<
<

We Need a Federal Online Privacy Regulatory Framework

 
Deleted:
<
<

When one thinks about security regulations on the internet, individuals often ask, "What can I do to keep myself safe." This instinct is of individual blame, and thus, seeking an individual solution is understandable, given that we live under Western Philosophy's idea of individualism. Nevertheless, the road toward effective security regulation is not one of individualist change but rather one of ecological change.

 
Deleted:
<
<

The Ecology of Privacy

 
Changed:
<
<

One cannot think of privacy concerns as issues of individual action and responsibility. This perspective misses the reality that issues of privacy deal with multiple interconnected biological and non-biological actors. Take one neighborhood, for example. Let's say that House A and House B both have access to a mechanism that will protect them from any privacy concerns. Nevertheless, it is up to each house to sign up or accept the security, creating a system where not every house in the neighborhood is protected. This regulation is ineffective because it is akin to using an umbrella with holes during the rain; some water is bound to get through, and you will ultimately end up wet. It works similarly when private consumer data protection differs from state to state. Just like water, the internet doesn't stop at state lines.

>
>

I. The Ecology of Privacy

 
Changed:
<
<

Regulating Online Privacy like Water

>
>

One cannot think of privacy concerns as issues of individual action and responsibility. This perspective misses the reality that the problems of privacy deal with multiple interconnected biological and non-biological actors. Take one neighborhood, for example. Let's say that House A and House B both have access to a mechanism that will protect them from any privacy concerns. Nevertheless, it is up to each house to sign up or accept the security, creating a system where only some homes in the neighborhood are protected. This regulation is ineffective because it is akin to using an umbrella with holes during the rain; some water is bound to get through, and you will ultimately end up wet. It works similarly when private consumer data protection differs from state to state. Just like water, the internet doesn't stop at state lines.

 
Deleted:
<
<

Our drinking water is regulated under the Safe Drinking Water Act ("SDWA"). According to the Environmental Protection Agency ("EPA"), "under the SDWA, EPA sets standards for drinking water quality and oversees the states, localities, and water suppliers who implement those standards." 1 Even though different actors might have different needs in various contexts, there is still a uniform set of federal standards for drinking water across the United States. In the water regulatory scheme, it is not up to each individual whether they receive lead-poisoned water; it's up to the government actors to do their jobs and set uniform standards across the country. Similarly, the onus of securing online privacy should not be on citizens but on government actors whose job is to set standards and regulations.

 
Changed:
<
<

Imagining an Online Privacy Regulatory Commission

>
>

II. Basing online Privacy Regulation on Environmental Regulatory Principles

 
Deleted:
<
<

Like the EPA or the Nuclear Regulatory Commission, the Online Privacy Regulatory Commission would be an independent agency with rulemaking authority whose job would be to set standards and regulations for online privacy control and oversee that States and Online service providers implement these standards. My suggested regulatory scheme would not cure our current privacy issues but would shift U.S. regulation in the right direction. Currently, "the United States does ’t have a singular law that covers all types of data privacy. Instead, it has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA."2 The way our current privacy (or lack therefore) regulatory framework works is akin to allowing your neighbors use lead-poisoned water and you think your water is safe from pollution. Privacy regulation is an ecological issue and must be regulated as such.

 
Changed:
<
<
This draft does a terse job explaining why, I think, but we can get real improvement if we think about how. There are two ways we can take that up: by thinking about legislation or by thinking about politics.
>
>

The National Environmental Policy Act (“NEPA”) requires federal agencies to assess the environment effects of their proposed actions before making decisions. In other words, the NEPA sets an overarching set of commitments and requires people to move consciously to make impact statements that are justiciable in federal courts. NEPA establishes “the broad national framework for protecting our environment.” Under NEPA there is a vertical regulatory schemes that deal with specific areas of the environment in which we want the government to achieve the objective set by i.e., The Drinking Water Act ("SDWA") and The Clean Air Act (CAA)

 
Changed:
<
<
If privacy regulation should be based—as I think and you agree—on environmental principles of regulation (based not around transactions but around standards of care and liabilities not for breach but for failure to avoid harm) then what should legislation look like. Thinking about the architecture of US environmental law (NEPA; the air, water, and waste statutes; impact statements and their jurisprudence; criminal statutes and enforcement) might help to lay out a broad blueprint of the statutes we would need, which would*mdash;it is needless to say—look nothing like GDPR and all the other national legislation that depends on or imitates it.
>
>

According to the Environmental Protection Agency ("EPA"), "under the SDWA, EPA sets standards for drinking water quality and oversees the states, localities, and water suppliers who implement those standards." Even though different actors might have different needs in various contexts, there is still a uniform set of federal standards for drinking water across the United States. In the water regulatory scheme, it is not up to each individual whether they receive lead-poisoned water; it's up to the government actors to do their jobs and set uniform standards across the country. Similarly, the onus of securing online privacy should not be on citizens but on government actors whose job is to set standards and regulations.

 
Deleted:
<
<
Politics tells us what can be made law, not just legislation. That brings you into the question, if this is what we need, why do we have something completely opposite? We have a carefully-constructed no-law system in place, with some exceptional areas of carefully-determined law represented by those alphabet-bubbles to which you refer, marking islands of government efforts to protect people in a sea of protecting data against interference from the people it's about. Such an intricate filigree structure does not arise by pure accident: we need to understand how it evolved if we are going to get sixty votes in the Senate for something else.
 
Changed:
<
<

>
>

III. Imagining a National Privacy Security Policy Act (“NPSP”)

 
Deleted:
<
<
1.Regulatory and guidance information by topic: Water | US EPA
 
Changed:
<
<
2. Thorin Klosowski, The State of Consumer Data Privacy Laws in the U.S. (and why it matters), The New York Times (2021)
>
>

Currently, "the United States doesn’t have a singular law that covers all types of data privacy. Instead, it has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.” The way our current privacy (or lack therefore) regulatory framework works is akin to allowing your neighbors use lead-poisoned water. You think your water is safe from pollution. Privacy regulation is an ecological issue and must be regulated as such.

 
Added:
>
>

We must imagine what the NEPA equivalent statute for privacy regulation would look like. What overarching set of commitments or standards would it layout? This paper proposes a National Privacy Security Policy Act (“NPSP”). The act would establish a broad national framework for protecting American citizens’ privacy. It is imperative to stress that this act and any verticals to follow focus on protecting people, not data. I also want to note my limitation in suggesting specific commitments and standards, given that I am not a privacy expert, and we need experts to develop these standards. However, I can humbly law out a brief blueprint.

 
Deleted:
<
<
Microbrain Word didn't really export the footnotes to HTML. They should have been links anyway, anchored in the text.
 
Added:
>
>

Congress knows to protect people v. protecting data, at least when it wants to. “The Bork Tapes” refers to a series of 146 videotapes rented out by then Judges Robert Bork from Block Buster Videos. During his supreme court confirmation hearings, the City Paper published Bork’s rentals in a cover story called “The Bork Tapes.” Congress responded by passing the Privacy Protection Act (VPPA), which forbids the sharing of video tape rental information with anyone. However, in 2012, “after lobbying by Netflix, Congress and President Obama stripped away much of the VPPA” to allow many companies to begin selling users' data at will.

 
Changed:
<
<
 
<--/commentPlugin-->
>
>

The watering down of the VPPA uncovered a critical fact: The gap in privacy regulation is not a vacuum but a structure that was put there to repeal, and it's carefully designed to repeal new regulations. Lobbies of companies like Netflix have carefully arraigned a “no-law zone”; these platforms’ creation of a no-law system is carefully maintained in and by the United States Senate, which results in an unwillingness to use the democratic process to protect people. This lack of security regulations an engineered item.

The NPSP would fill in the gap by making it illegal to sell user data to third parties. It would also take away Congress’ power to make this decision by putting those regulatory schemes in the hands of a federal agency such as the Online Privacy Regulatory Commission. Companies like Netflix, Hulu, and Facebook would have to make impact statements about their privacy regulations that are justiciable in federal courts.

A federal regulatory body would keep actors in check and impose fines and criminal sanctions when the act is violated. i.e., if a company is found to be selling data to third party vendors when it released a statement that it would not, the company would be open to civil and criminal charges. Like the EPA or the Nuclear Regulatory Commission, the Online Privacy Regulatory Commission would be an independent agency with rulemaking authority whose job would be to set standards and regulations for online privacy control and oversee that States and Online service providers implement these standards.

Sources

  1. https://www.epa.gov/nepa/what-national-environmental-policy-act#:~:text=The%20National%20Environmental%20Policy%20Act%20(NEPA)%20was%20signed%20into%20law,actions%20prior%20to%20making%20decisions.
  2. https://www.epa.gov/laws-regulations/summary-national-environmental-policy-act
  3. https://www.epa.gov/regulatory-information-topic/regulatory-and-guidance-information-topic-water
  4. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/]
  5. https://theconversation.com/online-viewer-privacy-is-regulated-by-an-act-originally-designed-to-protect-video-rentals-119515

Revision 5r5 - 06 Feb 2024 - 04:45:24 - AllysonChavez
Revision 4r4 - 08 Jan 2024 - 16:00:38 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM