The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), both now in force, emphasize penalties for companies that violate its provisions. EU member countries, for example, already have levied 190 fines and penalties.
Only the GDPR imposes a mandatory, affirmative obligation on organizations covered by it to consider privacy at the initial design stages of developing new products, processes, or services that involve personal data processing. Those found to be in violation can face financial and other penalties imposed by a country’s data protection agency.
The EU’s approach here is salutary. It has developed a policy that privacy protection should be built into digital information technology systems at the outset. But the GDPR is all sticks and no carrots.
The goal of the EU’s privacy by design requirement is to encourage innovation in developing, on a continuing basis, new engineering methods that serve the aim of better consumer privacy protection at the outset. Innovation, however, typically is produced in the marketplace rather than by government fiat.
Perhaps the absence of a privacy by design requirement in the CCPA implicitly recognizes that innovation cannot be required in the manner that the GDPR specifies.
But that leaves open how the United States, whether at a state or federal level, will be encouraging privacy by design, both at the system and device level, within any new legislative or regulatory framework.
In order to do so, it should view innovation as the driving force for this concept, and accordingly begin to explore what carrots it can offer along with potential sticks attached to effective compliance provisions.
The new app Jumbo is a case in point. It manages privacy settings for users on four different services: Twitter, Facebook, Google search and Amazon’s Alexa, with future plans to also include Instagram and Tinder. The app is available now only on iPhones, however, with an Android version that the company says is forthcoming.
Viewed in a broader context, Jumbo represents just the type of privacy innovation that should be encouraged, rather than reduced to a regulatory compliance checklist. This means that U.S. policymakers have an opportunity to think about innovation carrots as well as sticks, which the GDPR and the CCPA so far have failed to do.
There are a range of incentives that might stimulate more, better, and broader privacy by design innovation, such as targeted R&D tax credits; limited antitrust immunity for companies in the same field that want to jointly engage in privacy by design; or voluntary safe harbor provisions that would help reduce regulatory liability.
The United States is the beacon of the world in encouraging innovation. Creative and proactive policymaking can reward innovators as well as punish those who are lax in staying within legally-defined digital privacy parameters.
Our nation now should see how to adapt a carrot-rich approach to privacy by design, which can complement the need to utilize sticks in order to enhance current consumer digital privacy protection.