This is going to be kind of a short one because what I’m about to say is easy to understand and really shouldn’t take a lot of explaining. In a nutshell, this is a plea to the Powers Of The World to create and adopt a Universal Data Privacy Act. What got me thinking about this is a new article I just read on Axios which says that our current administration will take a stab at a new data privacy act for the USA. That’s all well-and-good but I want to play a game first. I’m going to give you a list and you tell me what these acronyms have in common…
If you guessed that they’re all different digital / online / data privacy acts that various countries (and even some individual states) have enacted then you’re right! I even left off the super obvious ones like ePrivacy, Personal Data Protection Bill 2018, Cyber Security Law, and many others. Your next question is, “If we’ve got these laws already, why do we need more?” Good question.
It’s not that we need more laws, we actually need fewer laws but better laws that apply to more people. Each one of those laws I mentioned above protects relatively small numbers of people around the world. On top of that, each set of laws is written a little differently with different compliance guidelines and different penalties for non-compliance. To be honest, it’s a freaking mess. It’s so convoluted and confusing that a whole new digital compliance industry has been created in the last few years. Have you ever wondered why just about every website you visit hounds you to “accept our cookies?” It’s because of these data privacy laws that require user consent to collect data…and those “Accept Our Cookies” pop-ups are the result of the user consent portions of those laws.
What To Do?
My proposal is simple in concept but would require a Herculean effort on the part of world governments…only because they’d all have to agree on something.
Let’s create a basic framework for this new law. My first (mental) draft says that has at least the following features:
- Give users the option to share or not share personal data
- Keeps individual’s personal data secure
- Provides a right to be forgotten
- Enacts severe penalties for companies that are in breach of the law
Let’s break down what each of those means.
1. Give users the option to share or not share personal data.
Simple…do you want to give us permission to capture your online movements or not?
2. Keeps individual’s personal data secure.
This is the trickiest statement because the law would have to define both “individual’s personal data” as well as define “secure.” Generally speaking, I consider personal data to be both personally identifying information such as birth date, social security number, driver’s license number, address, and so forth as well as generated data such as IP address, system & browser information, websites visited, and other analytical data.
“Secure” in this case means protected from any entity that the user did not specifically grant permission to access the data. Exceptions could be made here for legal law enforcement and judicial reasons.
3. Provides a right to be forgotten.
This means that you can request that a company permanently delete any identifying information that a company has collected about you and that they must comply within a reasonable time frame.
4. Enacts severe penalties for companies that are in breach of the law.
Here’s the part of most laws (for corporations) that falls short. The penalties are so meaningless that there is no incentive for the company to comply or improve if they are out of compliance. For example, back in 2017 the credit monitoring company Equifax was breached and over 100 million US citizens had their core personal data stolen. This breach was determined to be due to gross negligence on the part of the company via numerous failures to update and patch critical systems. If the penalty for that breach was something like 200% of average annual profits then it’s possible that the company would have taken its data security more seriously.
The Tip of the Iceberg
The further into this I got and the more I re-read my own blog post I can see how this task is almost unrealistic in scope. I can’t even explain this simple concept in fewer than 800 words so how many reams of paper would it take to write it out fully and craft a piece of legislation that genuinely has the best interests of “the people” at heart as opposed to the corporations?
This topic is so huge and complicated and there are so many moving parts that there is no way I’ve thought all the way through this in this short article. I guarantee that there are holes, omissions, and giant WTF? moments in what you’ll read next. So, instead of flaming me let’s have a productive conversation about how this whole thing would really work. Tell me…where did I fall short and what would you change or add?
If you want to learn more about the myriad privacy laws out there, check out: