Bill takes a leaf out of GDPR’s book

The tech regulation debate is heating up stateside, with legislation appearing at every level of government, attempting to detail what consumer protections in the age of data-driven decision making should look like.

Lawmakers in Washington have been the latest to throw their two cents into the ring, introducing an overarching privacy law that aims to give consumers added control over their data.

The bill, aptly named the Washington Privacy Act, was brought forward last month and outlines proposed protections similar to that of Europe’s General Data Protection Regulation (GDPR).

GDPR legislation passed nearly a year ago and has been hailed as the most comprehensive privacy policy to date.

Using terms that run parallel to the European privacy framework – setting standards applied to businesses which control or process data – the Washington bill also takes a broader look at privacy rights on the whole.

It requires companies to complete regular audits on their collecting and sharing practices, much like the privacy impact assessments found under GDPR.

“It’s [the Washington bill] saying that you have a bundle of individual rights,” Kelsey Finch, policy counsel at the Future of Privacy Forum, told The Daily Swig.

“So you have the right to access your data, what data the company has; you have the right to have the data portable, so you can take it with you from one company to another; you have the right to correct your data, if you think that it’s incorrect or inadequate, you can have it deleted.”

Unlike GDPR, which oversees rules for any party handling data from within the EU (inclusive of government), Washington’s privacy bill focuses on the regulation of business – those with more than 100,00 customers, or which derive 50% of their gross annual revenue from the sale of personal information.

State and local government datasets are generally excluded from the legislation, but privacy safeguards have been contemplated to govern the use of facial recognition by law enforcement and commercial entities alike.

“The Washington bill is thinking a bit more in terms of balancing fundamental rights and freedoms of individuals in the way that the European one does against the potential legitimate interests of business,” Finch said.

“Whereas the US approach to privacy legislation tends to lay out protections across the board, which will apply to a lot of different entities, taking on a more sectorial approach and creating higher protections on a sectorial basis. So the bill combines a bit of both of those worlds.”

Talk of putting consumer safeguards in the backyard of notable data guzzlers like Amazon and Microsoft has put Washington in line to become the second state to enact overarching privacy rights for it residents.

This move follows the passing of the California Consumer Privacy Act (CCPA), set to come into effect on January 1, 2020.

While there are some similarities between the Washington and CCPA legislation – both, for instance, predominately hone-in on for-profit entities – the CCPA is more transactional, largely highlighting the transfer or exchange of data used for products and services.

“The CCPA is targeted much more towards the selling and sharing of data,” said Finch. “It doesn’t necessarily contemplate the same broader set of rights that the Washington one does – it’s two different ways of tackling similar problems.”

But how far the Washington legislation actually goes to mirror GDPR efficiency is not without its criticisms – administering the law is an issue of particular notability.

“The GDPR, for example, actually has enforceability,” Shankar Narayan, technology and liberty project director at the American Civil Liberties Union (ACLU), told The Daily Swig.

“It has a broad library of clear definitions because they [countries within the European Union] have an actual regulator that is supposed to define terms and has a body of case law based on that.”

The Washington Privacy Act makes reference to the CCPA by suggesting that enforcement action should fall in the hands of the State Attorney General, implementing fines of between $7,500 and $2,500 for each violation as in Californian law.

Broad definitions are another concern.

“GDPR works because all of the stuff that happens downstream depends on why you collected it [the data],” Narayan said. “In the EU, it’s clearly established that, if you don’t have that legitimate reason to collect, then you can’t collect. And that’s not even here in this [Washington] bill.”

Narayan added: “Trying to import the structure after that, it really collapses.”

Ignited by much of last year’s onslaught of Big Tech privacy scandals, a national conversation surrounding citizen rights in our ever-dependent data economy is a long time coming.

Local municipal governments throughout the US have even started enacting their own privacy legislation.

Seattle, for instance, passed a Surveillance Ordinance law in order to provide transparency over the technology the city plans to use.

Tech giants themselves, most recently Cisco, have backed calls for a US version of GDPR – Apple’s Tim Cook stated that regulation would be “inevitable” back in November – in what many believe is simply rebranding, given that trust in these conglomerates is at an all-time low.

These calls are combined with a powerful tech lobby adamant on watering down any legislative scrutiny, looking to control debate on the federal level through $64 million spent on influencing lawmakers in 2018 alone according to the Washington Post.

Industry has equally been adverse, perhaps justifiably, to parts of the Washington bill, citing that its likeness to GDPR will mean that some companies will avoid doing business with Washington residents.

“I think the big picture obviously is we don’t necessarily have a great prospect of getting a strong federal law,” said Narayan.

“And, in fact, I think there is an active effort by some of the larger tech companies after the California legislation passed to actually get watered down legislation in other states, ultimately perhaps preempting that with an even weaker federal privacy bill.”

There still may be some reason for optimism on the data privacy front, however.

“Our movements are starting to talk to each other, and I think this is really how change begins,” Narayan said.

“We are actually coordinating what we’re doing and I think we’ve seen actual shifts in responses in these past years from the tech giants, which goes to show that they’re going to shift their narrative and the way that they present themselves, but also demonstrates that there are things that these companies are afraid of.”

The proposed Washington bill would come into force December 31, 2020.


RELATED The US sets its sights on a federal privacy law