Privacy is among the biggest concerns for people all over the world these days. From wallets to health trackers our lives are increasingly digitized, and President Obama has renewed his focus on privacy—with last week’s Consumer Privacy Bill of Rights being the latest step in that direction.
Here’s the thing: why the need for “Consumer” preceding “Privacy Bill of Rights”? A Pew Research study last year found that while 91 percent of surveyed adults felt consumers had lost control over how their personal information is shared with companies, 80 percent felt that the country should be similarly concerned about how the government was monitoring phone and Internet communications.
So, with Americans not only concerned with companies and websites spying on them—but data collection practices from the government itself—why restrict this to a commercial context?
It’s because, as Chris Avery notes in a post for the Privacy and Security Law Blog, the government does not plan on leading by example on this:
Despite that reference to the bill of rights, do not be misled into thinking that the government would subject themselves to this far reaching proposal. In fact, federal, state and local governments are all given a pass on complying with the proposal’s broad and ambiguous requirements. The government exemption, once again, asks the private sector to do what I say, not as I do.
Going back to the specifics of this draft, it frequently name-checks popular privacy concepts like “clear,” “transparent,” and “individual control,” and the focus of the document is to outline steps that companies need to take for consumers to understand what data is being taken and what that data will be used for. The legislation is careful to define “covered entity” as “person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce,” and to maintain that personal data is broadly considered any non-publicly available data under the covered entity’s control.
But here’s the thing: even looking exclusively at the things the legislation sets out to accomplish, not what is misses, it doesn’t even do that well. Although it’s only a draft discussion of what future privacy framework might look like, it’s being met with apprehension from plenty of parties—notably by the tech community, who feel they haven’t been properly consulted on establishing the protocol. David Navetta and Jami Vibbert write for Data Protection Report:
The response of the Information Technology Industry Council (“ITI”), whose member companies include Google, Apple, Microsoft, and Oracle, focused on the need for all stakeholders to participate in the implementation of any framework regarding privacy practices. The ITI stated that it “plans to engage with policymakers and lawmakers to provide our input.”
They’re not the only ones feeling left out of the process either. As Navetta and Vibbert also note, a letter was published on behalf of 14 consumer privacy groups(PDF)—the Center for Democracy and Technology, Consumer Watchdog, Electronic Frontier Foundation and Public Knowledge among them—expressing similar concerns:
Our substantive concerns were compounded by the way in which this bill was developed. Most of our organizations were left out of consultations and were allowed to review the draft only one week prior to its release. Many organizations outside the Beltway were not able to review the legislation at all.
In drafting something with a title as heavy as the Consumer Privacy Bill of Rights, you figure the leading consumer privacy groups would be involved, no? It’s a good thing this is just a draft, as they have other big concerns, with this intro before listing them in full:
Nevertheless, substantial changes must still be made for the legislation to effectively protect Americans’ right to privacy. The bill should provide individuals with more meaningful and enforceable control over the collection, use and sharing of their personal information. The bill should uphold state privacy laws and afford stronger regulatory and enforcement authority to the Federal Trade Commission. In the weeks and months to come, we hope to work with you and leaders in Congress to strengthen the bill and address shortcomings in the draft legislation…
As mentioned several times, this is but a draft, and there’s still time to address many of the issues the legislation aims to address—but there’s that huge issue of what it doesn’t, and that’s government data collection.
Obama did, at least, announce somewhat-similar oversight plans for data collection in the intelligence communities in February that call for more accountability from government agencies, but it was met with lukewarm response from the ACLU. As Newsweek reports:
“While we welcome the release of more information about the NSA’s surveillance activities and efforts to put in place enhanced protections, the proposed reforms do no more than tinker around the edges,” Neema Singh Guliani, legislative counsel with the American Civil Liberty Union’s Washington Legislative Office, said Tuesday.
“The documents clearly show that the government continues to stand by a number of its troubling mass surveillance policies, despite mounting evidence that many of these programs are ineffective,” Guliani added. “The report released today underscores the need for action by Congress and the courts to fully reform the NSA.”
President Obama made a step in the right direction when he released a presidential memorandum requiring all government agencies to discuss when they use drones and how the data collected was being used, but if there seems to be little to no other oversight on how big data is being used by government, we’re left asking: where’s the regular privacy bill of rights?