When it comes to issues of privacy protection, taxpayers already have reason to be skeptical of those who say “we’re from the government and we’re here to help.” After all, as a recent policy paper from our research arm documented, the demands the IRS places on our financial and personal privacy – along with the tax agency’s deficiencies in combating identity theft – are serious burdens in their own right. So too are the impositions of other federal agencies such as the Transportation Security Administration.
Yet, as “Star Trek’s” immortal Doctor McCoy once quipped, “the bureaucratic mentality is the only constant in the universe,” and with it the drive to pile regulations on top of one another. Many advocates of limited government fear this may be the case with the Commerce Department’s recent “Consumer Privacy Bill of Rights,” a laundry list of strictures for the private sector on how to treat data as it relates to citizens. Though not a law yet, this legislative proposal from the Administration is a code of conduct that Washington seems to expect from private-sector companies that utilize consumer data.
Of course, Americans are concerned about protecting their privacy in the Digital Age. Yet, to have a balanced discussion about whether more government rules can allay or abet those concerns, here are a few points worth pondering.
1) A whole alphabet soup of federal privacy laws – such as the FTC Act, HIPAA, FCRA, ECPA, and FERPA –has been cooked up to feed the regulatory state already. At one point in time or another each of these laws received legislative scrutiny and debate over whether they responded to facts on the ground. Can the same be said of the Consumer Privacy Bill of Rights? Where is the statistical evidence backing up each plank of this regulatory missive? And while we’re at it, before the feds heap another set of rules onto the stack, shouldn’t public officials evaluate the body of existing laws and regulations to determine if they need to be re-tuned?
The federal government has already taken out punishments such as consent decrees that can bind innovator firms for up to 20 years for “privacy violations” or security breaches. Such time periods are almost inconceivable in an industry that marks the pace of development (and market shifts) in months, or even weeks.
2) Much of the Commerce Department’s document has familiar echoes of the Federal Trade Commissioner Edith Ramirez’s crusade on behalf of a bigger role for her agency in cracking down on privacy violations. Her prescriptions, which were outlined in a closely followed August 2013 speech, bore more than a passing resemblance to what is called the “precautionary principle”: a risk-averse dogma that calls for tight government-supervised controls on private-sector data use even if doing so might deprive consumers, taxpayers, and the economy of potential gains from the next big discovery.
What could be at stake? Adam Thierer of the Mercatus Center explained the matter succinctly very shortly after Ramirez’ speech:
[T]he cornucopia of innovation information options and opportunities we have at our disposal today was driven in large part by data collection, including personal data collection. …For example, many of the information services and digital technologies that we enjoy and take for granted today – language translation tools, mobile traffic services, digital mapping technologies, spam and fraud detection tools, instant spell-checkers, and so on – came about not necessarily because of some initial grand design but rather through innovative thinking after-the-fact about how preexisting data sets might be used in interesting new ways.
The precautionary principle pervades thinking among European regulators – and European citizens end up paying the price in fewer choices and less enterprise. Do we really want to crack open the door a little wider to importing such a restrictive, anti-growth regime from a region whose overall tax and regulatory burdens far exceed those in the U.S.?
Furthermore, one analysis from the TechAmerica Foundation puts the contribution of the tech industry to annual U.S. economic activity at $1 trillion, and employment at 6.3 million. Clearly, technology fuels a significant share of our commerce and productivity. Shouldn’t policymakers give some consideration to how a more precautionary approach from the Commerce Department or the FTC could affect America’s already-beleaguered entrepreneurial environment?
3) One part of the legislation would empower regulators to hit companies with civil penalties if their data privacy shortcomings were judged to cause “substantial emotional distress.” Compare and contrast this elastic definition with the Department’s new plan forcing companies to set up federally-overseen privacy review boards, one of whose tasks would be to ensure that new uses of consumer data can demonstrate a “substantial societal benefit.” To some innovators, these types of provisions would be impossible standards to prove; to some lawyers, it could be an irresistible basis of costly lawsuits. We’ve been down that unproductive road before – are we about to enter it again?
So far the reaction to the Administration’s legislation – a work in progress since at least 2012 – has been mixed. Some policy experts are concerned over the impact on the uniquely American, innovation-based economy, while other self-appointed consumer advocates seek more draconian steps. For its part, the FTC does not seem to believe that the Commerce Department’s imitation of its even broader regulatory vision is the sincerest form of flattery. But whatever the fate of the “Consumer Privacy Bill of Rights,” Americans need to thoughtfully question whether proposals intended to protect their privacy are instead allowing Big Brother to grow and flourish. No one has all the answers, but it’s important to start asking the questions.