With an ever-increasing reliance of online resources both at work and at home, COVID-19 has created a new focus on digital privacy protection. Increased data gathering for virus contact tracing and growing threats of cyber disruptions for home-based workers lacking sophisticated resources to combat them also are at play now. They have added to the complexity of designing a durable framework that must look further ahead to post-pandemic times, when a “new normal” will take hold.
The COVID-9 pandemic has taught us that with a complex area such as coronavirus contagion, there is unlikely to be a proverbial “silver bullet” that can cover all aspects of digital privacy protection. Rather, social distancing, vigorous hand washing, temperature checks, diagnostic testing and contact tracing now are recognized as key measures that can help halt its spread. The promised silver bullet of an effective vaccine on a global basis remains an ultimate goal, but there is no current assurance that one can be developed, and even if so, when it would become available.
The holistic public health approach to the pandemic has helped save lives. It also is a concept that is worth emulating in the area of digital privacy policy. Such an approach would differ from the pre-pandemic discussions about “comprehensive” privacy legislation that has been the focus on Capitol Hill during the past year. This notion assumes that the best route would be to enact a new law that covers a range of digital privacy situation for years to come.
The United States has a significant track record in pursuing a holistic approach to other public policy concerns that is worth reviewing in greater detail. For example, the Centers for Disease Control and Prevention has recognized that the reduction of drunk driving nationally will require “different strategies … (with) different resources for implantation” that may have “different levels of impact.”
Drunk driving laws are a necessary part of this picture. They have established a nationwide blood alcohol level, and all states and the District of Columbia have raised the minimum drinking age to 21 years old. Local governments also have authorized sobriety checkpoints so police can stop vehicles at highly visible locations to determine if a driver is impaired, followed up by an alcohol breath test if there is a suspicion of intoxication.
But legal measures cannot by themselves provide a sufficient solution. Other stakeholders have joined this effort in positive ways. Manufacturers have designed and installed ignition interlocks for measuring alcohol levels of repeat DUI offenders, which have proven to be highly effective at preventing new violations from occurring.
Simultaneously, the CDC has advanced multi-component interventions that combine several programs or policies to prevent drunk driving. These include mass media public service campaigns regarding the physical dangers and legal consequences of drunk driving. Persuading people not to drink and drive, or to let others do so, has been an important intervention that complements the new laws aimed at deterrence.
Effective community mobilization through groups such as Mothers Against Drunk Driving has also been part of a comprehensive approach to this problem. So too are school-based instructional programs that teach teens not to ride with drunk drivers, and the identification of people who are at risk for alcohol problems along with assistance for treatment if needed. The marketplace also has responded through extensive on-demand ride services such as Uber and Lyft that are available to transport people who are too intoxicated to drive home safely.
This multi-dimensional approach can be found in a number of other areas, including a reduction in tobacco use, an increased use of seat belts and preventing wildfires. It suggests that digital privacy policy could also be developed strategically with multiple reinforcing pathways. Legal protections alone, while comprehensive in concept, are unlikely to represent a comprehensive solution in practice. Like drunk driving or these other areas, there are inherent limitations to the reach of legal or regulatory penalties that need to be assessed more carefully.
The experience of the European Union since its General Data Protection Regulation (GDPR) took effect in May 2018 illustrates that legislation and regulation may not be as effective as envisioned, and in any event, will take more time to assess its real impact on providing better digital privacy protection.
According to Politico, in the two years since the GDPR took effect almost 300,000 complaints have been filed in the EU’s 27 countries. With $325 million allocated for government enforcement during this period, European privacy regulators have levied about $163 million in fines. The result — “two years since the EU’s flagship policy regime came online, Silicon Valley’s biggest names remain largely unscathed despite a volley of complaints. According to Estelle Masse, senior policy analyst at Access Now, a civil rights non-governmental organization, “Crippled by a lack of resources, tight budgets, and administrative hurdles, (EU) Data Protection Authorities have not yet been able to enforce the GDPR adequately.”
At the least, and especially as enforcement funding may not be as abundant in post-pandemic times, legislation and regulation need to establish appropriate public expectations regarding their efficacy while also building in sufficient time after enactment to evaluate if further fine tuning may be necessary. We also must aim to satisfy both sides of the dynamic supply-and-demand equation for internet services — now and in the future — to enrich our economies, our communities and our daily lives.
These observations have led me to focus on the need for a multi-stakeholder digital privacy policy toolkit that will be broader and more durable than any particular legislative or regulatory approach might be. In other words, let’s de-emphasize a silver bullet approach.