Security news that informs and inspires

GDPR-Style Privacy Regulations May Be On the Way in U.S.


A new bill that will bear some similarities to Europe's new General Data Protection Regulation (GDPR) is on the horizon, legislation that could alter how businesses treat users' private data.

Sen. Richard Blumenthal (D-Conn.) said he plans to introduce a bill soon that will include what he called a “privacy bill of rights”, based in part on GDPR, a comprehensive privacy and breach-notification framework that went into effect late last month. One of the key elements of GDPR is its requirement that users must give consent for their data to be shared publicly, and they can revoke that consent whenever they choose. Blumenthal said that there are so many privacy threats right now that most people don’t even have a handle on what they are.

“The way to begin the course ahead is to alert the American people to what those threats are,” he said during a hearing of the Senate Committee on Commerce, Science, and Transportation on privacy issues arising from the recent scandal involving Facebook and its relationship with the since-renamed data broker Cambridge Analytica.

One of the peculiarities about the way that Congress regards data breaches, data thefts, and other privacy and security related events is that the legislators tend to treat each new incident as a discrete and novel occurrence. In reality, these events are cumulative and have a correspondingly cumulative effect on the erosion of users’ privacy and confidence in the platforms and technology companies they use.

Few people have a more comprehensive view of this effect than Ashkan Soltani does. As a privacy and security researcher, he has done extensive work on consumer privacy and detailing the ways in which platforms providers and advertisers track users across the web. And as a former staff technologist at the Federal Trade Commission and technical advisor in the White House during the Obama administration, Soltani has seen the ways that federal agencies and legislators develop technical policy and investigate (or don’t) the companies that violate those rules.

On Tuesday, Soltani sat in front of the committee and calmly explained to the members just how deep and broad the user-tracking and data-monetization problem really is. The hearing focused on Facebook and Cambridge Analytica, a situation that Soltani emphasized was neither new nor unique.

“I cannot stress enough that Cambridge Analytica’s theft of person information is not a new problem. It is neither novel nor limited to one bad actor—albeit a strikingly egregious example. This problem is endemic to the online ecosystem and creates real harm to every American who uses the Internet,” Soltani told the members of the committee.

Although the hearing was billed as a look at the Cambridge Analytica-Facebook situation, the questions from the committee members ranged far afield and the conversation became a broader one on privacy rights in general and what privacy even means in today’s environment. Blumenthal didn’t specify which sections of GDPR his bill would mimic, but the concept of notice and consent, which is already the basis of U.S. privacy policies, should not be the main focus of new regulations, Soltani said.

“This must stop and it must stop now. We’re going to see history repeat itself unless we have action."

“I worry about overly focusing on consent rather than providing protection. There’s this belief that being able to take data from platform to platform is beneficial, but from a security perspective you could be increasing the chances of it being breached,” Soltani said.

Blumenthal and other committee members questioned Soltani and the other two witnesses, NewCo CEO John Battelle and Aleksandr Kogan of the University of Cambridge, about how the government should handle the Facebook situation and other similar scenarios. Battelle, an entrepreneur and media executive, said pushing companies to lock down their data even further isn’t the answer.

“The absolutely wrong conclusion to draw from the Cambridge Analytica scandal is that entities like Facebook must build ever-higher walls around their services and their data. In fact, the conclusion should be the opposite. A truly open society should allow individuals and properly governed third parties to share their data so as to create a society of what Nobel laureate Edmond Phelps calls ‘mass flourishing’,” Battelle said.

Some of the committee members expressed concerns about the amount and kinds of data that Facebook and other platform providers collect and said something needs to change.

“This must stop and it must stop now. We’re going to see history repeat itself unless we have action,” said Sen. Tom Udall (D-N.M.). “I’m concerned the federal agencies here aren’t doing enough to protect our privacy.”

Soltani also urged the lawmakers to move forward with federal privacy regulation to rein in the misuse of users’ private data.

“Our society has long recognized that an individual has a right to private communication and a right to be left alone. We have taken great strides to advance those rights and protect them when new technology threatens to infringe. Now is such a time, and federal action is required. Protecting privacy is now more critical than ever.”