Intel Asks for Comments on Draft Federal Privacy Law
14.11.2018 securityweek IT
Intel Proposes "Innovative and Ethical Data Use Act of 2018" to Improve Protection of Personal Privacy Through Nationwide Standards
The basic acceptance that personal privacy in a digital world can only be protected by legislation has been growing around the world. In Europe it led to the development of the General Data Protection Regulation (GDPR). An EU 'Regulation' can broadly be seen as similar to a U.S. federal law -- one that in Europe takes precedence over member-state national laws, and in the U.S. takes precedence over state laws.
In this sense the 'federal versus state' argument over privacy protection has been settled in Europe. It is only just beginning in the U.S. With no national-level federal law on privacy protection, individual states have implemented their own state laws -- culminating, one might say, in not the latest but probably the strongest: the California Consumer Privacy Act of 2018 (CCPA).
This in turn has led to a reversal in the position previously taken by the big tech companies. Personal data has become integral to digital commerce. It drives marketing and is seen as essential to business. Those companies that don't use it directly still collect it and sell it to those that do. This has been largely unencumbered by any federal privacy law -- but is now being restricted by state laws.
Big companies are beginning to lobby -- for the first time -- for a federal law to take precedence over state privacy laws. There are many reasons for this; but the bottom line is that they expect a federal law to be less restrictive on the gathering and use of personal data than, for example, CCPA.
Intel has now entered this debate. Its position, however, is not 'should there be a federal law?', but 'what should it include?'. It has developed and published a draft model federal bill that it calls the "Innovative and Ethical Data Use Act of 2018", and is inviting comments from businesses, privacy experts and the general public.
Intel rejects the idea of allowing individual states to develop individual state-level privacy laws. "The US needs a law that promotes ethical data stewardship, not one that just attempts to minimize harm. A non-harmonized patchwork of state legislation will cause companies to default to restrictive requirements and the result will decrease the likelihood of realizing technology's great potential to improve lives. Intel has drafted proposed legislation to realize that potential. It promotes innovative data use, while requiring organizations that process personal data to implement measures to demonstrate responsibility."
Since without a federal law companies are likely to default to the strongest state requirements -- effectively the California Consumer Protection Act -- the implication is that Intel is seeking a federal privacy law that is less consumer-centric and more business-friendly. "What the US needs is a privacy law that parallels the country's ethos of freedom, innovation and entrepreneurship. That law needs to protect individuals and enable for the ethical use of data." The clue is in the title: its primary purpose is to protect data use, not to protect consumer privacy.
Intel makes the case that business needs to be protected from restrictive consumer privacy to enable, for example, "technologies like artificial intelligence to help solve the world's greatest challenges. The combination of advances in computing power, memory and analytics create a possibility for technology to make tremendous strides in precision medicine, disease detection, driving assistance, increased productivity, workplace safety, education and more."
These are strong arguments, and define the difference between the European approach to personal privacy and the proposed U.S. approach. While Europe has focused privacy protection on the consumer, allowing business what is fair to them, the Intel approach is to focus on the free flow of data between business, allowing consumers what is fair to them.
This is not to say that there are no personal privacy protections within Intel's proposal. There are. For example, companies cannot collect personal data "that is not relevant and necessary to accomplish the specified purpose(s)", for which the consumer must provide "explicit consent". However, the proposed Act tries hard to make privacy protection compatible with business purposes.
For example, "Only the forms of processing or the specific processing activity that are prohibited by the requirements [of this Act] shall be prohibited. Processing activities that do not meet the requirements shall not be prohibited."
There is also a 'safe harbor' against civil sanctions, "if a corporate officer certifies in writing to the Federal Trade Commission that it has conducted a thorough review of compliance with this Act, and specifically of the accountability program required by Section 4(h), and such review does not reveal any material non-compliance with the requirements of this Act that have not been mitigated." Compliance with this act can be self-certified, and self-certification can be at least a partial defense against civil action.
Intel's draft model federal privacy act has only been online for a few days. The website invites comments -- which can only be good for democracy. At the time of writing this, there have been just 12 comments (including 4 replies from the Intel spokesperson, David Hoffman). On the whole, these are supportive. One stands out, however, as being highly critical. Lynne Taylor comments, "[Student] data is being constantly harvested to the point it's called 'student data rape'. Not once, in this proposed Bill were there clear enough parameters to halt the over 1400 data points being harvested every day. Many of these violate, not only the U.S. Constitution, but the Civil Rights of every single American. Not to mention the overreach by ANY federal agent, agency, or program with, by US Federal law was prohibited from becoming involved in education, including related services and programs."
This voice representing the consumer (here specifically the student) perhaps marks the beginning of the real debate. This is just the beginning, and it should be remembered that that European Union took many years in developing GDPR. Big tech has not yet added its voice -- and probably only will if it senses that business is losing the argument.
"It is a good baseline for discussion and of course goes beyond the protections in GDPR and California Consumer Privacy Act (CCPA) in the types of data covered," David Ginsburg, VP of marketing at Cavirin, told SecurityWeek. "However, we are already seeing a disconnect between what is proposed on the state level (i.e., CCPA) and what the major social platforms would like to see on the national level due to their monetization of user data. I expect this to be the major point of contention."
Dr. Bret Fund, founder and CEO at SecureSet, is supportive. "I applaud Intel's proactive approach to defining 'personal data' and 'privacy risk', drafting a bill and creating an open forum where all can comment and weigh in. From the interaction I am seeing from many in the industry on their site, it is surfacing the right questions, comments and debate. Intel's bill isn't going to solve the privacy concerns and debate single-handedly, but their approach goes a long way to move it forward in a very productive manner."
Whether Intel will adapt its draft in line with any of the comments it receives remains to be seen. Similarly, Congress, which many people feel is likely to develop a federal user privacy law in the very near future, may simply ignore every aspect of Intel's proposal. If it does not, this Intel project could develop into a rich source of arguments put forward by business interests, privacy advocates and the general public.