Law in the Internet Society
-- AllysonChavez - 11 Dec 2023

We Need a Federal Online Privacy Regulatory Framework

When one thinks about security regulations on the internet, individuals often ask, "What can I do to keep myself safe." This instinct is of individual blame, and thus, seeking an individual solution is understandable, given that we live under Western Philosophy's idea of individualism. Nevertheless, the road toward effective security regulation is not one of individualist change but rather one of ecological change.

The Ecology of Privacy

One cannot think of privacy concerns as issues of individual action and responsibility. This perspective misses the reality that issues of privacy deal with multiple interconnected biological and non-biological actors. Take one neighborhood, for example. Let's say that House A and House B both have access to a mechanism that will protect them from any privacy concerns. Nevertheless, it is up to each house to sign up or accept the security, creating a system where not every house in the neighborhood is protected. This regulation is ineffective because it is akin to using an umbrella with holes during the rain; some water is bound to get through, and you will ultimately end up wet. It works similarly when private consumer data protection differs from state to state. Just like water, the internet doesn't stop at state lines.

Regulating Online Privacy like Water

Our drinking water is regulated under the Safe Drinking Water Act ("SDWA"). According to the Environmental Protection Agency ("EPA"), "under the SDWA, EPA sets standards for drinking water quality and oversees the states, localities, and water suppliers who implement those standards." 1 Even though different actors might have different needs in various contexts, there is still a uniform set of federal standards for drinking water across the United States. In the water regulatory scheme, it is not up to each individual whether they receive lead-poisoned water; it's up to the government actors to do their jobs and set uniform standards across the country. Similarly, the onus of securing online privacy should not be on citizens but on government actors whose job is to set standards and regulations.

Imagining an Online Privacy Regulatory Commission

Like the EPA or the Nuclear Regulatory Commission, the Online Privacy Regulatory Commission would be an independent agency with rulemaking authority whose job would be to set standards and regulations for online privacy control and oversee that States and Online service providers implement these standards. My suggested regulatory scheme would not cure our current privacy issues but would shift U.S. regulation in the right direction. Currently, "the United States does ’t have a singular law that covers all types of data privacy. Instead, it has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA."2 The way our current privacy (or lack therefore) regulatory framework works is akin to allowing your neighbors use lead-poisoned water and you think your water is safe from pollution. Privacy regulation is an ecological issue and must be regulated as such.

This draft does a terse job explaining why, I think, but we can get real improvement if we think about how. There are two ways we can take that up: by thinking about legislation or by thinking about politics.

If privacy regulation should be based—as I think and you agree—on environmental principles of regulation (based not around transactions but around standards of care and liabilities not for breach but for failure to avoid harm) then what should legislation look like. Thinking about the architecture of US environmental law (NEPA; the air, water, and waste statutes; impact statements and their jurisprudence; criminal statutes and enforcement) might help to lay out a broad blueprint of the statutes we would need, which would*mdash;it is needless to say—look nothing like GDPR and all the other national legislation that depends on or imitates it.

Politics tells us what can be made law, not just legislation. That brings you into the question, if this is what we need, why do we have something completely opposite? We have a carefully-constructed no-law system in place, with some exceptional areas of carefully-determined law represented by those alphabet-bubbles to which you refer, marking islands of government efforts to protect people in a sea of protecting data against interference from the people it's about. Such an intricate filigree structure does not arise by pure accident: we need to understand how it evolved if we are going to get sixty votes in the Senate for something else.


1.Regulatory and guidance information by topic: Water | US EPA

2. Thorin Klosowski, The State of Consumer Data Privacy Laws in the U.S. (and why it matters), The New York Times (2021)

Microbrain Word didn't really export the footnotes to HTML. They should have been links anyway, anchored in the text.

 

Navigation

Webs Webs

r4 - 08 Jan 2024 - 16:00:38 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM