November 6, 2018
Oregon Democratic Senator Ron Wyden drafted a data privacy bill akin to the recent General Data Protection Regulation (GDPR) legislation in Europe. Dubbed the Consumer Data Protection Act, Wyden’s bill would give users more control over selling and sharing their data, and would give the Federal Trade Commission authority to set privacy and security standards and fine those companies that do not protect consumer data. One provision is a “Do Not Track” feature that would allow people to opt out of being tracked.
Digital Trends reports that the latter is “the digital equivalent of the popular Do Not Call Registry established by the FTC in 2003, which allows people to opt out of receiving phone calls from telemarketers.”
The bill would also hire 175 government staffers and require companies “assess the algorithms that they use to process consumer data to determine whether they impact discrimination, privacy, or bias.” The latter is important because “as algorithms become more important in processing data … [they] are vulnerable to the same biases as the humans that create them.”
Fortune reports that Wyden’s bill would fine offending companies “up to 4 percent of their global, annual revenues for infractions” similar to the GDPR, but would go further, jailing chief executives who “knowingly misled regulators” for up to 20 years and apply individual fines as high as $5 million. Big tech companies with revenues exceeding $1 billion or those that store data on 50+ million consumers on their devices would also be required to submit “annual data protection reports” to the government. Companies would have to offer alternative payment options “such as subscription fees instead of ad-supported ‘free’ models.”
At Georgetown Law’s Communication & Techology Clinic, teaching fellow and attorney Lindsey Barrett tweeted that Wyden’s bill “injects sorely needed accountability” into today’s flawed “information ecosystem.” But Rendition InfoSec co-founder Jake Williams, a National Security Agency veteran, noted that the bill is unlikely to pass. “Even if it does, it won’t mean what you might think,” he said. “It won’t create a SOX-style environment around cyber. Sorry.”
SOX refers to Sarbanes-Oxley, a 2002 financial reform put into place after the Enron meltdown to prevent similar problems. Williams said that Wyden’s proposed law “will box in cybersecurity practitioners,” by giving “corporate governance, risk, and compliance departments the right to ‘rule infosec’.” If such a law passes, the cybersecurity industry will likely be licensed. “Professional licensure is not good for a profession this young,” he said.