Time is ripe for Congress to act on data protection legislation, say privacy advocates

With the focus on data privacy intensifying following Facebook's scandal with Cambridge Analytica, some technology policy experts want Congress to capitalize on the moment and pass a unified, federal standard for safeguarding Americans' private information online.

"We are getting to the point where we are being tracked, we are being watched, and there are people who are using that data for bad outcomes for us as a society," Kim Keenan, Internet Innovation Alliance co-chair, said on Monday during a panel discussion in Washington, D.C., about consumer internet rights.

The panel took place just one week after Facebook CEO Mark Zuckerberg faced two days of congressional hearings to outline how his social media company allowed research firm Cambridge Analytica access to the personal data of 87 million Americans. His nearly 10 hours of testimony raised as many questions as it answered around consumer protection online and the massive amounts of information users agree to hand over when registering for social platforms.

One glaring gap in the conversation around Facebook's harvesting of data is the time between when the company discovered Cambridge Analytica's actions and when the news spread to the public, Keenan said during the panel, which was scheduled before the Facebook news broke. Only just recently did the breadth of the social network's data-gathering become clear.

Will the US follow in the EU's footsteps?

Following the public uproar, Zuckerberg announced Facebook will not extend privacy standards from the European Union's General Data Protection Regulation (GDPR) to its platforms worldwide, which also include Instagram and WhatsApp. Instead, the company will develop its own global version that Zuckerberg said will be "in spirit" with GDPR, which goes into effect on May 25.

For many companies, the internal changes to data handling required to be GDPR compliant are challenging and resource-intensive. Despite those barriers, most large tech companies have committed to complying — even though ad giants like Facebook and Google are dependent on user data to personalize the ads they deliver.

"These are the largest companies in the world, and they have more data about people than people know," Keenan said. "They know who you are, they already know everything about you, and if they don't have any restraints on your protections, things like this are going to happen."

Historically, tech companies have pushed for self-regulation of user data over broader legislation because it was in their best interest to do so, as many of them made money by helping advertisers target consumers using that data, per the panel. The platforms have argued that such data collection helps them make ads more personal and relevant, something consumers desire. However, users have started to question whether any value they get from trading away their personal data is worth it.

Preventing a 'patchwork' of legislation

"[Zuckerberg] posited this notion that they can self-regulate, but if they could self-regulate, they would've noticed the problem earlier and taken action," Keenan said. "It's not really their job to worry about whether they're protecting your information or data. Their job is to gather as much data as they can. That's what their service is for."

Now, the onus will likely fall on Congress to spearhead broad consumer protection laws. But passing regulation isn't clear-cut, as many states are looking to introduce their own privacy laws — not legislation at the federal level that would cover all Americans regardless of their location, according to former Federal Trade Commission Chairman Jon Leibowitz. State laws would mean that when a person crosses state lines, any privacy protections would be moot.

"It's just bad policy. You don't want a crazy quilt patchwork of 48 state privacy laws," Leibowitz said. "I'd like to see, and I think many of us in this room — no matter what your party affiliation — would like to see are baseline privacy rules that protect all consumers."

However, eliminating ad targeting entirely is not the answer, said Robert McDowell, former commissioner of the Federal Communications Commission, during the panel. That route could lead to a First Amendment violation, as it could essentially be interpreted as the government silencing companies from speaking to certain audiences.

What's to come

It'll likely come down to federal legislation that lays out basic rules for online privacy, according to the panelists. Currently, data protection can vary significantly between different platforms, apps and services, and the panelists said expecting consumers to keep up with the different terms and conditions for each is just not possible, especially since most people rarely read the user agreements in full. These protections will take months, if not years, to address by both the government and individual tech companies.

"Privacy and the privacy debate will drive a larger, more comprehensive discussion regarding regulation of the internet — and that's going to take some time," McDowell said. In the meantime, "the Cambridge Analytica mishap won't be the last."