At a privacy forum hosted by the American Enterprise Institute on Wednesday, the Department of Justice’s Chief Privacy Officer Peter Winn pushed back on the idea of “individual control” in a federal privacy law.
Winn launched the forum by stating, “Privacy is not about giving individuals complete control over their personal information in all contexts. Some people think we need a privacy law like the one in the EU. I disagree.”
Furthermore, he added, sweeping privacy laws like the EU’s GDPR “often have consequences they go far beyond their intended purposes and end up impacting core public safety initiatives,” specifically referencing concerns regarding the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN now allows cookies, internet domain names and IP addresses, to be obscured in order to comply with GDPR because these data points can be used to identify an individual and are now classified as “personal information.” Opponents of GDPR argue this hinders law enforcement from tracking down cybercriminals.
From Winn’s perspective, a privacy law that grants the consumer total control over his or her data conflicts with the needs of law enforcement officials trying to ensure public safety.
He’s not the only one to draw attention to this point. Last fall, a group of cybersecurity firms filed comments with the National Technology and Information Administration (NTIA) stating that sometimes companies compromise their customers’ privacy for the sake of security, by sharing data with other companies after a cyberattack to better mitigate future cyberattacks.
“This is consistent with consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework,” the Cybersecurity Coalition wrote in the filing. “By necessity, some of this data can be linked to individuals or specific devices, thereby potentially falling under common definitions of ‘personal information.’ For example, phishing, a highly prevalent and effective attack vector used to steal sensitive data, is based on spoofed emails and identities. To detect and avoid suspected phishing attempts, cybersecurity service providers may process such personal information including the email address, purported identity, and the IP address associated with the origination of the phishing email.”
Winn also said stakeholders should play a central role in any privacy law discussion, but did not mention consumer advocates or consumer protection.
“Understanding the democratic process in the U.S. is also important to understanding how privacy policies work — all the major stakeholders have weighed in, and there at least needs to be a substantial consensus among them and at least a clear understanding of why the privacy standards are needed before a bill can become law,” he said.
If stakeholders can agree on privacy standards, he argued, then they’re more likely to comply. Consumer advocates frequently point out that Congress should consider consumer perspectives when discussing privacy legislation, as any privacy law will directly impact consumers as well as stakeholders.
“Some bemoan the fact that the American democratic process requires greater buy-in from the people who will actually have to comply with the laws we enact, but a requirement of more buy-in for a proposed law upfront results in a greater level of compliance when it becomes law,” he said. “Compliance has a lot to do with trust.”
The Electronic Frontier Foundation (EFF) points out in a blog post that listening to stakeholders alone enables them to push ideas and legislative efforts that benefit them, but may not be good for consumers.
“The testimony and responses from industry representatives [are] predictable: lip service to the idea of strong federal consumer privacy legislation, but few specifics on what those protections should actually look like,” the EFF’s Legislative Analyst India McKinney and Research Associate Gennie Gebhart wrote. “These witnesses also continue to advocate for unwritten, vague federal preemption of existing state laws like California’s Consumer Privacy Act (CCPA) or Illinois’s Biometric Information Privacy Act (BIPA).”
Instead of an aggressive legislative crackdown, Winn thinks companies should try to regain consumers’ trust by treating their data well.
“We can only earn this trust by making sure we handle their information appropriately and lawfully,” Winn said, despite constant news reports detailing how companies abused consumers’ trust in the past, from Equifax to Facebook to Google.