By Florian Schaub, Assistant Professor of Information; Assistant Professor of Electrical Engineering and Computer Science, University of Michigan.
Facebook CEO Mark Zuckerberg’s Congressional testimony will discuss ways to keep people’s online data private, which I’m interested in as a privacy scholar. Facebook and other U.S. companies already follow more comprehensive privacy laws in other countries. But without comparable requirements at home, there’s little reason for them to protect U.S. consumers the same way.
Inform customers and secure data
- tell customers their data practices,
- give people some choice about additional uses,
- provide people with access to information about them, and
- ensure the security of the data collected.
Online tracking and advertising is self-regulated: Industry associations set rules for their members. Data collection by emerging technologies, such as smart speakers or self-driving cars, is mostly unregulated. The FTC does investigate if companies are “unfair or deceptive,” but firms that prominently disclose what they do may avoid trouble.
Strong limits on data collection
Europe, by contrast, generally prohibits collecting and using personal data. Its General Data Protection Regulation, which takes effect on May 25, applies to all businesses and government agencies in European Union member countries – including U.S. companies offering services in Europe.
The GDPR gives six reasons for collecting personal data. But even then, any analysis must be closely related to the purpose for which the data was collected. For example, a fitness-tracking company couldn’t sell users’ exercise data to a health insurance company without additional consent. Companies that violate the GDPR may be fined up to 20 million euros, or 4 percent of the firm’s worldwide annual revenue.
Many other countries, including Mexico, Switzerland and Russia, have adopted comprehensive privacy regulations like the EU’s. Canada also broadly regulates how government agencies and private companies use data.
The advantage of comprehensive privacy protections is that they’re consistent across services and industries, even as new technologies emerge.