In the spring of 2018, Facebook CEO Mark Zuckerberg was called to testify before Congress, largely in response to the news that British consulting firm Cambridge Analytica had captured and used the data of more than 87 million Facebook users to influence elections without the social media giant's knowledge or consent, as well as the admission that Facebook itself had been used by Russians to spread fake news and propaganda. During his testimony, Zuckerberg laid out his views on both the need for, and inevitability of, regulation of technology companies and their products and services.
Zuckerberg has since published a call for governments to regulate the Internet by limiting harmful content, addressing long-standing privacy concerns, securing the integrity of elections, and ensuring data portability. However, as of the writing of this article, there has been little to no substantive action on the part of the U.S. federal government to address these and other IT-related concerns.
The lack of consistent and wide-spread regulation of Internet and computer technology, particularly around data privacy and security, within the U.S. points to a confluence of complicated factors that make the creation of new federal rules related to technology unlikely, despite the public's growing desire to have some entity police how their personal data and information is tracked, collected, and used.
"We're under the 20-some-year-old framework that doesn't really work closely for the industry," says Lee McKnight, an associate professor in the School of Information Studies at Syracuse University, referring to the Telecommunications Act of 1996, the last major piece of federal regulation that addresses the activities of communication and IT companies. While the Act deregulated the communications business, letting any company offer local and long-distance telephony, cable TV programming, and other video services, its only reference to the issues of data privacy or security is Section 725's reference to prohibiting local exchange carriers from recording or using the "the occurrence or contents of calls received by providers of alarm monitoring services for the purposes of marketing such services on behalf of such local exchange carrier, or any other entity."
Indeed, McKnight says that, given the vast technological and business model changes that have occurred over the past 23 years, the law is largely outdated and simply does not address how companies collect, share, monetize, and protect personal and service-usage data, nor does it address the issue of data security breaches. Regulatory activity advocates generally believe the collection of such a large amount of data, its huge commercial value, and the potentially negative repercussions of this data falling into the wrong hands portends the need for strong regulatory controls, along with stiff penalties for noncompliance.
Figure. Facebook chairman Mark Zuckerberg was called to testify before U.S. Senate committees after it was reported U.K. consulting firm Cambridge Analytica had harvested the data of more than 87 million Facebook users without their consent to influence elections.
Within the U.S., several government regulations have been enacted that address general cybersecurity issues, including the Cybersecurity Information Sharing Act (CISA), the Cybersecurity Enhancement Act of 2014, the Federal Exchange Data Breach Notification Act of 2015, and the National Cybersecurity Protection Advancement Act of 2015. However, these regulations do not specifically address computer-related industries such as Internet service providers (ISPs) and software companies (or service companies such as social media sites), and many of the regulations include vague language that leaves a significant amount of room for interpretation.
Opponents of additional regulatory activity argue that the personal data that is most sensitive and in need of regulatory protection is already protected by regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which provides for data privacy and security of individuals' medical information.
Furthermore, getting additional, specific data handling, privacy, and security regulations that will work in a global economy may be challenging to implement, as well as costly and some-what difficult to enforce. Many modern-day business services, such as social media sites, are global in nature, and it can be difficult to determine the applicable jurisdiction (for example, if a South African citizen purchases goods from a French-domiciled company via the Facebook platform, and the shipment of such goods comes from China, which data laws take precedence?).
Getting additional, specific data handling, privacy, and security regulations that work in a global economy may be challenging to implement and costly to enforce.
Additionally, technology companies whose business models are primarily based around monetizing personal data, either directly for sales and marketing purposes, or indirectly by offering access to or selling that data to others, are generally not in favor of regulation that will prescribe how they collect, use, and store data. The argument most commonly summoned by regulatory opponents is that regulation tends to stifle innovation by limiting the creative ways in which data can be used, as well as by increasing compliance costs through requirements for enhanced and more frequent data updating, recordkeeping, and notification of data security breaches.
However, any regulation that limits how a business can capture and use personal data is likely to negatively impact a business that currently relies on relatively unfettered access to and use of that data.
Despite some opposition by technology companies, regulatory progress is being made. The European Union (EU) enacted in 2018 the General Data Protection Regulation (GDPR), which regulates the handling and privacy of the data of individual citizens of the EU and the European Economic Area (EEA), and also addresses the export of personal data outside the EU and EEA regions. Because multinational companies operate both within the EU and beyond it, some companies are applying GDPR rules across all of their customer base, thereby providing indirect regulatory control to areas such as the U.S., which does not have a national regulatory framework covering data privacy or security.
"Many companies at this point would be fine complying with GDPR, with similar rules worldwide, and many companies, in fact, have done that," says James Grimmelmann, a professor of law at Cornell Tech and Cornell Law School. However, given the restrictive nature of some of the components of GDPR, such as the requirement that individuals can request erasure of personal data related to them on any one of a number of grounds within 30 days of its publication, certain business models may not be compatible with GDPR.
"It may be that the kind of ad networks that Facebook and Google use simply can't operate under GDPR," Grimmelmann says, adding, "it will take a few years to find out whether that's the case or not."
While efforts to protect individuals' privacy and personal data in the U.S. are under way, much of the work being done is at the local or regional level, rather than the federal level. For example, the California Consumer Privacy Act was signed by then-governor Jerry Brown last year and is set to go into effect in January. The Act conveys three main rights to consumers in California: the right to know what information is being collected about them; the ability to tell a business not to share or sell their personal information; and the right to have data protections put in place by companies that collect and store personal data. It should be noted, however, that Californians for Consumer Privacy, the group that initial spurred the legislation, does not appear to be pushing for similar nationwide regulation, and no one from the group responded to repeated phone calls and email messages for comment for this article.
The details of how federal regulation of data privacy and security will be supplied are unlikely to be resolved in the near term.
Lan Jenson, CEO of Adaptable Security, a non-profit organization dedicated to protecting society from cybercriminals, says there needs to be a compromise between those who want IT regulation and those that believe regulation simply stifles innovation and competition. Furthermore, in the absence of specific regulations, Jenson believes there should be a concerted effort to help smaller and new market entrants address the root problem of data security and privacy. Several non-profits are working to address the issue, including:
Regardless, coming to agreement on what should be regulated, which authority should be responsible for writing and enforcing the regulations, and how penalties should be meted out is likely to be challenging, according to David Weinberger, a senior researcher at Harvard University's Berkman Klein Center for Internet & Society, and author of Everyday Chaos: Technology, Complexity, and How We're Thriving in a New World of Possibility. "I can certainly see regulators stepping in, one way or another," Weinberger says.
However, the details of how federal regulation of data privacy and security will be applied are unlikely to be resolved in the near term, largely due to multiple competing interests on both sides of the political aisle, explains Grimmelmann.
"I expect this is something we'll still be grappling with 10 years from now," Grimmelmann says. "If this were a simple left/right political issue, you would expect that when you have Republicans in control, they would pass legislation that they agree on, but they don't. You have some Republicans who are highly libertarian about technology, and some who are very skeptical about tech. You have some Democrats who are very friendly with technology, and others who are very skeptical about big tech and its effect on the democracy. And as a result, you don't get a simple coalition in Washington that's going to say, 'OK, you're in power now, you're going to impose our preferred privacy and other tech regulations'."
Adaptable Security https://adaptablesecurity.org/
California Consumer Privacy Act https://www.caprivacy.org/
Cybersecurity Information Sharing Act https://www.congress.gov/bill/114th-congress/senate-bill/754
Cybersecurity Enhancement Act of 2014 https://www.congress.gov/bill/113th-congress/senate-bill/1353/text
Federal Exchange Data Breach Notification Act of 2015 https://www.congress.gov/bill/114th-congress/house-bill/555
General Data Protection Regulation https://eugdpr.org/
Global Cyber Alliance https://www.globalcyberalliance.org/
National Cybersecurity Protection Advancement Act of 2015 https://www.congress.gov/bill/114th-congress/house-bill/1731
National Cyber Security Alliance https://staysafeonline.org/
Telecommunications Act of 1996 https://transition.fcc.gov/Reports/tcom1996.pdf
Mark Zuckerberg: The Internet needs new rules. Let's start in these four areas, The Washington Post, March 30, 2019 https://wapo.st/2R3hYlg
©2019 ACM 0001-0782/19/12
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2019 ACM, Inc.
No entries found