Preventing New and Emerging Consumer Harms

Innovations based on consumer data often are an enormous benefit for individuals and for society writ large. Yet, with new innovations and/or more intensive usage of consumer data there can be new threats to consumers that become possible.

Ideally, our country’s policies and laws concerning personal data should optimize to increase the pace and magnitude of beneficial, data-driven innovations while simultaneously producing new protections to emerging threats. Unfortunately, virtually all draft privacy legislation recently contemplated or introduced accomplish neither of theses goals. At best, the most well-crafted draft privacy legislation seems to only be addressed at resolving current problems with the unpermitted usage, mishandling or poor safeguarding of consumer data.

As an advocate for consumers and for innovators (whose interests often align in unexpected ways) this often makes me want to scream. Staying on this path will only worsen our challenges by enacting laws that are not well matched to where our economy is headed and what protections consumers will need in the future.  In short, our lawmakers should be admonished “Don’t fight the last war, prepare for the next one!” so to speak.

The good news is that we are not in a data war.  The better news is that Intel’s proposed privacy legislation – perhaps uniquely among draft bills I’ve seen – seems to embody this win-win approach.    I highlight several novel provisions:

1) Requiring companies sharing data with third parties to assess the risks of that data sharing and attempt to mitigate any negative consequences from that sharing;

2) Imposing burdens on third party companies who obtain data even indirectly;

3) Requiring companies to consider the consequences, if any, for consumers when the company will process that personal data using emerging technologies such as artificial intelligence, machine learning and/or predictive analytics;

4) Prohibiting misuse of data for wrongly excluding consumers from certain business opportunities, access to services. redlining, harmful price discrimination, misuse of genetic data, violating laws or denying a US person their rights and privileges under the law.

These four provisions would begin to tackle the emerging problems of: vendors and subcontractors repurposing consumer data at an arm’s length from the consumer whose data was collected; data brokers sharing and reselling data to anyone and everyone and obviating any other privacy protections in the law; bias and discrimination creeping into companies’ decisions regarding their customers without any transparency into those advanced forms of processing; and significant new risks to consumers from misusing personalization to manipulate pricing, make all too often erroneous predictions about consumers based on their neighbors, turn the promise of medical and genetic information into a risk to individuals and their families or break laws.

Intel’s attempts to address these issues must be replicated and included in all other federal and state privacy laws going forward.

While I praise Intel for this forward thinking I urge Intel to go further and propose additional legislative language to protect consumers while facilitating innovation. Intel should spell out what a real corporate redress program must look like for those instances when corporations just plainly “get it wrong” and misjudge their customers (or worse)   No consumer should be forced to sue on some novel legal theory to not get charged an unfair price or when they are prevented from getting credit (for example) on fair terms. Intel should help Congress by doing the hard work of building out what “corporate due process” should look like that allows customers to rapidly be made whole for corporate mistakes based on advanced uses of or processing of customers’ data. A non-litigation redress mechanism would instill great confidence in the public and speed adoption of new data processing technologies, particularly those done purely or mostly by computers. Surely the balancing act that facilitates innovators having legal clarity and consumers having new legal protections can be struck.

Again, I cannot recall seeing any business lead on these questions so Intel deserves praise for being brave and anticipating the future in which its business (and those businesses its chips make possible) thrives

I hope Intel will press forward and further spell out technology neutral, industry sector-neutral protections for consumers data so that we can have our innovations AND be sure those innovations benefit each of us.

 

 

 

 

 

5 comments

  1. Peter Swire
    Tim Sparapani raised great points about the challenging of “future proofing” a bill, knowing that new issues will arise over time. As one example, algorithmic transparency and discrimination due to e to algorithms have become hot topics in privacy debates. Before roughly the Podesta report in 2014, those topics had not been clearly identified. Those kinds of possible harms were not on the map.

    Roughly speaking, there are three ways that the law typically handles this common challenge – how to protect against future harms:

    (1) Use broad terms, such as “reasonable care” in torts or “unauthorized use” for computer hacking statutes;

    (2) Provide rule making authority, which the Intel draft bill does under 5 USC 553; or

    (3) Wait for the legislature to pass a new law, to address the new harm.

    Industry typically prefers the third choice – wait for Congress, and no binding requirements until then. Many observers, however, see how hard it is for Congress these days to update the law. Almost everyone agrees the Electronic Communications Privacy Act of 1986 needs an update – tech has changed just a bit since 1986 — but passage stalls year after year. If we want privacy protection actually to succeed for individuals, then I think the third choice is hard to defend.

    That leaves us the first two choices, somewhat simplified: (i) use “reasonable care” in handling individuals’ data; or (ii) give an agency (the FTC) rule making authority.

    I have long believed that the FTC, in these situations, should be given rule making authority. To industry, I say that yes there is risk of an overly-strict agency. On the other hand, how else does the system react to change?

    To address industry’s concerns, once again there are multiple texts in environmental law that cabin the federal agency’s discretion in various ways. The principal one is to require the agency to do a cost/benefit analysis to justify the regulation, hopefully with “costs” and “benefits” defined in a thoughtful way that includes non-statistical factors. Cass Sunstein is the guru on this topic, and led revisions to the federal cost/benefit process that resulted in Executive Order 13563. Vox published this interview with Sunstein on the topic, at https://www.vox.com/future-perfect/2018/10/22/18001014/cass-sunstein-cost-benefit-analysis-technocracy-liberalism.

    To see how this approach can work in practice, HIPAA provides a hopeful example. The HIPAA Privacy Rule was enacted after going through a thorough cost-benefit analysis. The rule has occasionally been updated since the first version of the “final rule” that issued in 2000. More to the point, the Office of Civil Rights at HHS has issued many FAQs over time, which provide the sort of guidance that the Intel draft bill supports in Section 8. Congress very occasionally has made updates, notably in 2009, but the FAQ process has done a pretty good job of guiding industry when new problems arise, backed up by the rulemaking power if something big happens.

  2. Marty Abrams
    I agree with Tim and Peter. I would also place great effort (as the Intel bill does) on the accountability chain. Organizations that facilitate other organizations using data where the e the first is the steward, have an obligation to assure conditions that come with the data travel with the data. Elizabeth Denham, currently the UK ICO, pioneered those concepts when she was the Canadian Assistant Commissioner for the private sector in 2009. The guidance she wrote on accountability when moving data is well inline with the Intel bill.

  3. Pam Dixon
    I like the idea of FAQs that allow for updates and interpretive guidance. HHS has been responsible and timely about responding to rapid technological changes. Something like the HHS FAQs AQs could readily be put in place to allow for practical guidance to implementers.

    Marty’s point about ICO Elizabeth Denham’s work regarding guidance is well-taken; whatever form it takes, iterative and ongoing practical guidance will be essential.

    • Chris Wolf
      FAQs by the enforcement authority can serve as a kind of “regulation-lite,” adding meaning to existing statutory/regulatory language. On the utility of FAQs to assist in statutory interpretation, I note note that in 2015, the FTC published “Complying with COPPA: Frequently Asked Questions,” and indicated “These revised FAQs from the FTC can help keep your company COPPA compliant.”

      • Tim Sparapani
        Chris Wolf’s reminder about the COPPA FAQs is spot on. These have been tremendously helpful to me and to my clients who are trying to interpret COPPA. This sort of of “regulation lite” (I like that term) is one lightweight eans of keeping any statute from becoming stale (or worse) shortly after enactment.