Imagine if there were a law that said companies had to specifically tell you:
- What type of your information they are gathering;
- What they are using it for;
- How long they were going to use it before they erased it.
And you had to approve of all of it, or they could gather none of it.
It’s actually not so hard to imagine.
On May 25, the European Union will institute the General Data Protection Regulation — what is being called GDPR.
Now, imagine that same law — one that already has been written — being added to the U.S. legal system?
That may be much harder to imagine.
So said Bob Anderson, a partner at the Westfield office of Lindabury, McCormick, Estabrook & Cooper, where he serves as a co-chair of the firm’s Cybersecurity and Data Privacy Group.
Anderson feels GDPR will have a huge impact in Europe, where he said there is a different view of privacy.
“In the EU, they have taken the position that privacy is a fundamental human right,” he said. “We certainly have not taken that position in the U.S., especially in terms of digital information.
“For the most part, it’s sort of been open season, and whatever people can get away with selling and marketing, they do.”
The appearance of Facebook CEO Mark Zuckerberg before Congress this week — on the heels of numerous leak-type incidents of information at the company — brought the idea to the forefront.
It also brought a lot of bluster.
“If Facebook and other online companies will not or cannot fix these privacy invasions, then we will,” Sen. Bill Nelson (D-Fla.), the highest-ranking Democrat on the Commerce Committee, said.
Anderson doesn’t necessarily think they will, especially when they figure out how complex the bill is.
While it certainly would be nicknamed the Facebook Law, the impact would go far beyond digital companies. (How many companies are gathering data now?)
“This is an incredibly complex regulation,” Anderson said. “I know companies all over Europe are trying to figure out how to deal with this and what it truly means.
“To just apply that generally to the U.S. would not be easy. And it does impose a lot of restrictions on what companies can do — and not just internet companies. There are folks in Congress who are not big friends of regulations. I think this would be a hard sell unless the public clamors for these privacy protections.”
While it would cost companies millions to prepare for such a law (as it has in Europe), it can be done. And it would be easiest for companies such as Facebook and Google, which already have plans in place.
“(Facebook has) the platform to do it, it would just be the matter of extending it,” Anderson said. “Obviously, there’s a lot of users, so there are some logistical issues, but conceptually, they have everything they need to implement it.”
It would be hard and it would be expensive. But what does it say about us if we’re not willing to fight the good fight for something so important?
The end result may be worth it.
“I think this really is going to change things in Europe,” Anderson said. “I think it really is an entirely different way of looking at life and privacy — and I think it’s going to make a real difference in the EU.
“I think, as people start to appreciate how much of their information is being used in ways they would perhaps not like it used, there may be some buildup in the U.S. for something comparable — although I have a difficult time seeing the U.S. Congress passing something as comprehensive.”
The alternative is leaving it up to Facebook.
Anyone think that’s a good plan?