The Privacy Project: Do Americans Need An FDA for Data Protection?

Do Americans need an F.D.A. for data protection? (Doug Chayka/The New York Times)

After Apple discovered in June that certain MacBook laptops could overheat, posing a fire hazard, the Consumer Product Safety Commission quickly issued a warning, along with information about consumer burns and smoke inhalation.

But after Apple learned that its FaceTime video chat app was enabling consumers to listen in on the conversations of people they called — even when the recipients did not answer their phones — there was no designated federal protection agency to warn Americans or collect reports of privacy invasions.

After Fitbit wristbands began causing people to develop skin rashes and blisters a few years ago, the consumer safety agency announced a recall of about one million of the fitness tracking devices.

But after Strava, a popular fitness tracking app, posted a granular map of its users’ workout routines last year, exposing the locations of users — including personnel on remote military bases in Iraq — there was no agency to alert users to the risks or stop the company from revealing their data.

Why are Americans protected from hazardous laptops, fitness trackers and smartphones — but not when hazardous apps on our devices expose and exploit our personal information?

In the United States, most products are regulated by federal agencies that develop safety standards and enforce fair business practice laws. It’s a consumer protection system that dates back to the 1880s when Congress established regulatory agencies to crack down on abusive giants like the railroad companies.

Today, the Food and Drug Administration vets new prescription drugs before they go on sale. The National Highway Traffic Safety Administration investigates automobile safety hazards and sets fuel economy standards. And the Securities and Exchange Commission protects investors from fraud in stock sales.

By contrast, Americans have almost no safeguards for apps in part because Congress has never established an agency to police Facebook, Instagram, Uber, YouTube and other online services that use sophisticated data-mining tools to surveil, sort and steer people on a massive scale.

In fact, the United States is virtually the only developed nation without a comprehensive consumer data protection law and an independent agency to enforce it. Instead, Americans have to rely on the Federal Trade Commission, an overstretched agency with limited powers, to police privacy as a side hustle. The regulatory void has left Americans at the mercy of digital services that have every reason to exploit our personal information and little incentive to safeguard it.

But that could be changing.

A spate of high-profile data protection failures at Facebook, Google and other giants have spurred public outrage, along with momentum for government oversight.

During the 2016 presidential election, Facebook’s advertising system enabled Russian influence agents to target African-Americans with posts telling them not to vote. Last year, Grindr, the same-sex dating app, shared data on its users’ H.I.V. status with two other companies. In September, Google agreed to pay a $170 million fine and change some of its data-mining practices to settle F.T.C. charges that its YouTube platform violated the federal children’s online privacy protection law.

Ralph Nader, the consumer rights crusader, told me that the tech industry’s “out of control” exploitation of personal data was giving him flashbacks to the 1960s when he was researching a book on the dangers of a then-unregulated automobile industry. That book, “Unsafe at Any Speed,” pushed Congress to establish a new agency, the highway traffic safety agency, to develop federal auto safety standards.

Now some consumer groups and members of Congress are calling for a sweeping data protection law, along with a dedicated federal regulator to enforce it. The idea is to provide Americans with the same level of safeguards for apps as they have for appliances.

“What there should be is a new data protection agency,” Mr. Nader told me. “You have to go into a new agency when the abuse pattern is so expansive that the authority in the existing agencies is obsolete and inadequate.”

Some experts say rising public concern about consumer data is based more on hysteria than actual harm. Creating a separate agency, they say, could hinder the development of beneficial digital services.

“A new agency like this would serve the function of meeting public appetite for some kind of demonstrative enforcement reaction to Facebook and Google,” Jane Bambauer, a law professor at the University of Arizona who studies the social benefits and costs of Big Data, told me. But she was skeptical about the need for a stand-alone data regulator. “Of all the issues facing consumers today, that is not the one that deserves this level of intervention.”

There is of course a middle ground. In mid-October, Senator Ron Wyden, Democrat of Oregon, introduced a bill to bolster the Federal Trade Commission’s powers to police privacy. Called the “Mind Your Own Business Act,” it would enable the commission to impose steep fines for privacy violations and hire 175 additional staff. It would also make it a crime for senior executives to knowingly lie to regulators about their companies’ data practices.

The United States was not always a data protection laggard. In 1974, Congress passed a law, the Privacy Act, regulating how federal agencies handled personal information. It was based on a credo, known as fair information practices, that people should have rights over their data. The law enabled Americans to see and correct the records federal agencies held about them. It also barred agencies from sharing a person’s records without their permission.

Congress never passed a companion law giving Americans similar rights over the records private companies have on them. Historically, Americans have feared big government more than big business. The European Union, by contrast, established a directive in 1995 governing the fair processing of personal data by both companies and government agencies.

Today, the European Union has an even more comprehensive law, the General Data Protection Regulation, and each member state has a national agency to enforce it. Those agencies in Belgium, France, Germany and other European countries have recently acted to curb data exploitation at Facebook, Google and other tech giants.

It’s not just the European Union. Australia, Canada, Japan and New Zealand have also established stand-alone data agencies. By contrast, American consumers have to rely largely on the F.T.C. to safeguard their personal information, a data protection system that privacy advocates consider as airtight as Swiss cheese.

The commission was established in 1914 to break up abusive monopolies — in oil, steel, sugar and other industries — and ensure fair market competition. In the 1990s, in the early days of the commercial internet, the agency began positioning itself as the country’s de facto privacy regulator. It has since developed expertise in areas like children’s online privacy and mobile app privacy.

But the agency has limited power and equally limited resources. In a letter to Congress in April, Joseph Simons, the commission’s chairman, said that his agency had only about 40 employees devoted to security and privacy issues — while Britain’s data protection agency had about 500 employees.

[If you’re online — and, well, you are — chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.]

The agency also has limited attention for privacy.

Its chief enforcement mechanism is the power to investigate and sue companies for unfair or deceptive practices. That means the commission has the responsibility of policing a wide array of misbehavior by a sprawling universe of consumer product companies, from misleading marketing by cereal companies to unfair funeral home pricing to fraudulent labels on hockey pucks.

Can the same regulator simultaneously ensure the fair use of Americans’ data?

“To say to them, ‘Oh by the way, we also want you, while you are worried about hockey pucks, to take on and get your arms around the most dynamic and fast-changing and growing and economically powerful segment of the economy,’ I think may be asking them to be superhuman,” said Tom Wheeler, the former chairman of the Federal Communications Commission.

The regulatory history of corporate America over the last century is a tale of one giant industry after another abusing its market power — until Congress establishes a new agency to rein it in.

In 2007, for instance, Elizabeth Warren — at the time a professor at Harvard Law School and now a Democratic senator and presidential candidate — wrote a landmark article called “Unsafe at Any Rate.” The title was a play on Mr. Nader’s “Unsafe at Any Speed.”

In that treatise, Professor Warren argued that novel financial products had far outpaced consumer protections, making it easy for unscrupulous lenders to prey on vulnerable Americans. Four years later, Congress established the Consumer Financial Protection Bureau. (The Trump administration has recently curbed the agency’s role).

Powerful companies that harvest and monetize Americans’ personal data are now facing a similar moment of reckoning.

“The scale and scope of use, and also of abuse and misuse, is staggering,” Senator Richard Blumenthal, Democrat of Connecticut, told me. As a remedy, he wants Congress to establish either a new agency or a new data protection bureau within the F.T.C. “Some kind of enforcement agency is necessary,” he said. “One way or the other, it has to be a real watchdog.”

Earlier this year, more than a dozen consumer groups asked Congress to enact baseline privacy protections for consumers and establish a new data protection agency to enforce them. Civil rights experts say a stand-alone data regulator is needed to protect consumers from algorithms that may automatically shunt them in detrimental directions — potentially steering them toward predatory loans, say, or away from job opportunities.

Rashad Robinson, president of Color of Change, a civil rights group, said his organization struggled over the past few years to persuade Facebook and Google to stop allowing predatory payday lenders to use their platforms to target cash-strapped African-Americans. In August, Google banned high-interest lenders from its Google Play app store. “They did it because of pressure, not because they are being held accountable,” Mr. Rashad said. “Without the sort of agency that should be there to hold the industry accountable, we are all going to pay the price.”

But even if Congress were to establish a new agency, fundamental questions about the country’s approaches to data protection would remain. Should regulators be allowed to intervene only after Americans have suffered concrete harms from data misuse, like identity or financial theft? Or should violating an individual’s right to control their personal data be considered a harm in and of itself, whether or not more concrete damage can be demonstrated?

Silicon Valley executives often argue, and rightly so, that the concrete-harms standard helped enable the American tech industry to create online services that are now the envy of the world — while the rights-based model is a major reason European companies largely have not.

California has also been an innovator in data regulation, including enacting the nation’s most comprehensive consumer privacy law, which takes effect in January.

Now two Democratic members of Congress who represent Silicon Valley are preparing to introduce a consumer privacy bill. It calls for the establishment of a federal “digital privacy agency” that would protect Americans’ personal information and prohibit companies from using that data for discriminatory purposes in areas like jobs and credit.

A stand-alone agency, of course, would not be a panacea. But it would give Americans more insight into — and power to challenge — the opaque data-mining practices of tech giants, civil rights groups and privacy experts say.

“We are talking about an absolute power imbalance that will not be solved without very strict rules of engagement for corporations that want to market on the internet,” Mr. Robinson, the Color of Change president, told me. “We need to have a new data protection agency, an agency that examines the social, ethical impact of high-risk data practices.”

Natasha Singer covers technology for The New York Times.

Comments:  (0)