Last week, the Administration released its long-awaited privacy report. The new privacy framework includes a Consumer Privacy Bill of Rights and a Multistakeholder (MSH) process to develop “enforceable codes of conduct” that put those rights into practice.
The inclusion of this “Bill of Rights” raises some serious concerns. In adopting the language of “rights” the Administration is moving toward the European approach, which also discusses privacy in terms of rights. This sends the wrong signal. The U.S. has created an environment that is much more conducive to IT innovation, partly as a result of our less regulatory privacy regime. It is not an accident that the U.S. has spawned literally all the great IT companies of the last couple of decades. Google, Facebook, Amazon, Microsoft and others all depend on personal information in one way or another. So, why we would want to move in the direction of Europe is a bit of a mystery.
Adopting the language of rights also provides a rationale for not subjecting privacy proposals to any kind of regulatory analysis. Rights are absolute. Once we label something a right, we’re saying we’re beyond the point of considering its costs and benefits. But privacy regulation involves major tradeoffs that we would be better off to consider explicitly. The White House report does not do that and suggests there is no intention to do so in the future.
In the report, the Administration also voices its support for legislation. However, this seems somewhat inconsistent with the MSH approach described in the report. A key advantage of the MSH approach, if structured properly, should be greater flexibility relative to regulation that would typically result from legislation. This flexibility is vital for the tech sector, which is constantly changing. We should give the MSH process a chance to work before trying to adopt something more formal. Therefore, Congress should put efforts to enact privacy legislation on hold.