This is what many public officials, including Senator Kirsten Gillibrand, have begun to ask.
Last month, the Democratic Senator from New York introduced a new bill to overhaul the way the U.S. regulates privacy, putting citizens in control of their own personal data. The bill would create a new, independent agency called the Data Protection Agency (DPA) to protect consumer data by imposing financial penalties on companies that violate people’s privacy or mismanage their data, as well as taking these companies to court, launching investigations and fielding consumer complaints.
If data is the new oil, as is now often claimed, the U.S. has been operating without an agency responsible for preventing spills or holding those responsible accountable when they occur. The establishment of this new agency would incentivize companies to invest in and improve their data discipline before there is a breach, rather than reacting to a crisis that has already occurred.
The regulation posed by Sen. Gillibrand is a good start. However, it is not enough to regulate the data policies of big tech companies like Facebook or Google. Nearly every company that operates online—and many that capture personally identifying information in the real world, through credit cards, cameras, or Wi-Fi or Bluetooth sniffing—is gathering a seemingly endless dossier on otherwise private individuals. The amount of information that is being gathered about each of us, every day, is staggering. If companies are going to use this information to transact business, they have to accept the responsibility for safeguarding it.
At Dashlane, we give our customers a simple way to manage the hundreds of passwords required in the modern internet, making it easy to keep passwords unique and secure. Every time a big company mismanages its customers’ data and exposes themselves to a breach—for good reason—downloads of our software spike.
That’s because there has only ever been one way that people in the U.S. are able to protect their data: by protecting it themselves.
A DPA with real teeth could measurably decrease how often Americans have their personal information strewn all over the internet—3,800 times and for a total of 4.1 billion records exposed in 2019, according to Norton—as well as limit the types of information companies could collect about citizens in the first place. It would also create a central, federal effort to unify privacy regulation across all states.
I could be glib and say that fixing this massive problem would be terrible for my business. After all, how could we sell customers a password manager if they weren’t living in perpetual fear of their personal data falling into unscrupulous hands?
However, if we look across the Atlantic to see the impact of the European Union’s Global Data Protection Regulation (GDPR), we’ve found that the opposite is actually true. Increased oversight and accountability of data privacy hasn’t negatively affected business in the least. If anything, it’s made regular citizens even more aware of the importance of protecting themselves as much as possible.
The E.U., which is home to 446 million people post-Brexit, has a unified digital privacy framework. As the first mover on privacy rights, the E.U. effectively dictated a de facto global standard for privacy: most companies that have any E.U. customers have had to implement GDPR compliance into their systems (and often implemented them globally).
It may not be perfect, but it is certainly much simpler for businesses than what we see happening in the U.S. with the emergence of state by state privacy regulations, such as the California Consumer Privacy Act.
Even the most empowered individual in the world has little recourse when their data is compromised. This is the role and duty of government: to represent the rights of the citizenry as a whole and not to simply trust companies to act in good faith. Digital privacy is a right—a human right—that, thanks to the speed of technological development, we nearly gave away before we knew what we were losing.
The U.S. won the first part of the race to create and define the internet through innovation. Now it runs the risk of losing the second part of that race by letting the E.U. defining the next phase of the internet through regulation. It will undoubtedly be challenging to pass a bill such as Gillibrand’s. However, the proposed DPA is less partisan than many other topics, as there is a consensus that the time has come to regulate Big Tech for the sake of the consumer. We have an opportunity to define an even more effective data framework than the GDPR, one that protects Americans and their data around the world. This is not an opportunity we can afford to waste.