Opinion: How to design a US data privacy law

In an earlier article, I discussed a few of the flaws in Europe’s flagship data privacy law, the General Data Protection Regulation (GDPR). Building on that critique, I would now like to go further, proposing specifications for developing a robust privacy protection regime in the US.

Writers must overcome several hurdles to have a chance at persuading readers about possible flaws in the GDPR. First, some readers are skeptical of any piece criticizing the GDPR because they believe the law is still too young to evaluate. Second, some are suspicious of any piece criticizing the GDPR because they suspect that the authors might be covert supporters of Big Tech’s anti-GDPR agenda. (I can assure readers that I am not, nor have I ever, worked to support any agenda of Big Tech companies.)

In this piece, I will highlight the price of ignoring the GDPR. Then, I will present several conceptual flaws of the GDPR that have been acknowledged by one of the lead architects of the law. Next, I will propose certain characteristics and design requirements that countries like the United States should consider when developing a privacy protection law. Lastly, I provide a few reasons why everyone should care about this project.

The high price of ignoring the GDPR

People sometimes assume that the GDPR is mostly a “bureaucratic headache”—but this perspective is no longer valid. Consider the following actions by administrators of the GDPR in different countries.

• In May 2023, the Irish authorities hit Meta with a fine of $1.3 billion for unlawfully transferring personal data from the European Union to the US.
• On July 16, 2021, the Luxembourg National Commission for Data Protection (CNDP) issued a fine of 746 million euros ($888 million) to Amazon Inc. The fine was issued due to a complaint from 10,000 people against Amazon in May 2018 orchestrated by a French privacy rights group.
• On September 5, 2022, Ireland’s Data Protection Commission (DPC) issued a 405 million-euro GDPR fine to Meta Ireland as a penalty for violating GDPR’s stipulation regarding the lawfulness of children’s data (see other fines here).

In other words, the GDPR is not merely a bureaucratic matter; it can trigger hefty, unexpected fines. The notion that the GDPR can be ignored is a fatal error.

9 conceptual flaws of the GDPR: Perspective of the GDPR’s lead architect

Axel Voss is one of the lead architects of the GDPR. He is a member of the European Parliament and authored the 2011 initiative report titled “Comprehensive Approach to Personal Data Protection in the EU” when he was the European Parliament's rapporteur. His call for action resulted in the development of the GDPR legislation. After observing the unfulfilled promises of the GDPR, Voss wrote a position paper highlighting the law's weaknesses. I want to mention nine of the flaws that Voss described.

First, while the GDPR was excellent in theory and pointed a path toward the improvement of standards for data protection, it is an overly bureaucratic law created largely using a top-down approach by EU bureaucrats.

Second, the law is based on the premise that data protection should be a fundamental right of EU persons. Hence, the stipulations are absolute and one-sided or laser-focused only on protecting the "fundamental rights and freedoms" of natural persons. In making this change, the GDPR architects have transferred the relationship between the state and the citizen and applied it to the relationship between citizens and companies and the relationship between companies and their peers. This construction is one reason why the obligations imposed on data controllers and processors are rigid.

Third, the GDPR law aims to empower the data subjects by giving them rights and enshrining these rights into law. Specifically, the law enshrines nine data subject rights into law. They are: the right to be informed, the right to access, the right to rectification, the right to be forgotten/or to erasure, the right to data portability, the right to restrict processing, the right to object to the processing of personal data, the right to object to automated processing and the right to withdraw consent. As with any list, there is always a concern that some rights may be missing. If critical rights are omitted from the GDPR, it would hinder the effectiveness of the law in protecting privacy and data protection. Specifically, in the case of the GDPR, the protected data subject rights are not exhaustive.

Fourth, the GDPR is grounded on a prohibition and limitation approach to data protection. For example, the principle of purpose limitation excludes chance discoveries in science. This ignores the reality that current technologies, e.g., machine learning and artificial Intelligence applications, function differently. Hence, these old data protection mindsets, such as data minimization and storage limitation, are not workable anymore.

Fifth, the GDPR, on principle, posits that every processing of personal data restricts the data subject’s right to data protection. It requires, therefore, that each of these processes needs a justification based on the law. The GDPR deems any processing of personal data as a potential risk and forbids its processing in principle. It only allows processing if a legal ground is met. Such an anti-processing and anti-sharing approach may not make sense in a data-driven economy.

Sixth, the law does not distinguish between low-risk and high-risk applications by imposing the same obligations for each type of data processing application, with a few exceptions requiring consultation of the Data Processing Administrator for high-risk applications.

Seventh, the GDPR also excludes exemptions for low-risk processing scenarios or when SMEs, startups, non-commercial entities, or private citizens are the data controllers. Further, there are no exemptions or provisions that protect the rights of the controller and of third parties for such scenarios in which the data controller has a legitimate interest in protecting business and trade secrets, fulfilling confidentiality obligations, or the economic interest in avoiding huge and disproportionate efforts to meet GDPR obligations.

Eighth, the GDPR lacks a mechanism that allows SMEs and startups to shift the compliance burden onto third parties, which then store and process data.

Ninth, the GPR relies heavily on government-based bureaucratic monitoring and administration of GDPR privacy compliance. This means an extensive bureaucratic system is needed to manage the compliance regime.

There are other issues with GDPR enforcement (see pieces by Matt Burgess and Anda Bologa) and its negative impacts on the EU’s digital economy and on Irish technology companies. This piece will focus only on the nine flaws described above. These nine flaws are some of the reasons why the US authorities should not simply copy the GDPR.

The good news is that many of these flaws can be resolved.

Design specifications for a US privacy protection regulation

US authorities should take on the challenge of developing an improved privacy protection approach that would overcome the flaws of the GDPR. In this section, I will describe some of the characteristics that such an approach might look like.

Develop a privacy protection law using a collaborative public-private partnership. To ensure that privacy law is not only good in theory, it has to involve multiple constituencies from the private sector. This approach has three advantages. On the one hand, the private sector possesses competencies that the public sector politicians and bureaucrats lack, which are the technical, economic, and social competencies needed to implement change. Also, the private sector has better insights into the complexity of technologies and a keen awareness of which privacy protection approaches are no longer feasible. Lastly, a law developed using a public-private collaboration approach will not only be suitable for use but also be welcomed by the private sector, given that they helped to create it.

Redefine the relationship between data subjects and data controllers as a fiduciary relationship. The GDPR frames data privacy and protection as a fundamental human right. By adopting this perspective, the law treats the relationship between data subjects and data controllers as akin to the relationship between citizens and a state. This seems to be a stretch for two reasons. Fundamental human rights are the basic rights that all people are entitled to, regardless of their background or circumstances. Fundamental rights include the right to life, the right to a fair trial, freedom of speech, freedom of religion, and so on. It somehow feels inappropriate to equate data privacy and data protection of citizens, which occurs within an exchange relationship between data subjects and data controllers, to a fundamental human right. Applying the fundamental rights principle to data exchange relationships is also complex because the data subject could sell his personal data to others or even provide it for free to the companies. Under these conditions, the law would be attempting to protect data that the data subject is giving away without regard for her/his privacy.

There is also the complexity that third parties purchase and become possessors of other people’s data while enticing or providing free services to the data subjects to incentivize them to accept privacy rules that favor data controllers. This implies that in these kinds of relationships, the data possessor could cause the data subject to waive its fundamental rights by contract

These complexities suggest that the relationship between data subjects and controllers might be better conceptualized as fiduciary. A fiduciary duty is said to exist in relationships in which one party (usually the one with special competence in an area) is entrusted to act and make decisions for the principal or beneficiary. Fiduciary duty refers to the obligations the fiduciary owes to the principal or beneficiary. Examples of relationships that impose fiduciary duties include attorney/client, executor/heir, guardian/ward, agent/principal, and trustee/beneficiary relationships.

Following this perspective, I argue that the data controller/data subject relationship is best deemed a quasi-fiduciary relationship. The data subject to a data controller relationship differs from a typical fiduciary relationship in one respect. In the typical case, a fiduciary is the party charged with managing money or property on behalf of someone else. In the case of the information relationship, the fiduciary is not charged with making decisions on behalf of the data subject, and the controller’s decisions strictly benefit this agent. Hence, the data controller is a quasi-fiduciary who has to make decisions that do not harm the privacy rights of the data subjects. 

Transform data subject rights into fiduciary duties of the data controller. In a rapidly changing era of data analytics and artificial intelligence applications, it is difficult to understand how technology will change and to determine in advance which rights the data subject would need. 

Even with the current GDPR, several rights are missing. For example, the GDPR includes a right to withdraw consent without including the data subjects right to before her/his data is captured or stored. Similarly, the GDRP grants the data subject the right to demand that all his data be erased, but it does not grant her/him the right to object to the storage of part or all of her/his data beyond an agreed-upon time.

The GDPR also grants the data subject several rights regarding data processing. However, the GDPR does not grant the data subject any rights regarding data sharing with third parties or the rights to object to or limit the sale of data. This implies that the GDPR is silent about one of the most critical risks to the data subject. The risk is caused when the private data of the data subject is sold, in some cases, to multiple partners.

If critical rights could be omitted from privacy law, the law would have to be updated many times as soon as the characteristics of the modern data processing economy change. This will then transform the privacy and data protection improvements to the political process of legislation. I argue that protecting the data subject's rights might be better by specifying fiduciary duties in a privacy law. For example, one could include the following duties.

Duty of care: The data controller must adhere to a standard of reasonable care by avoiding careless acts that could foreseeably cause the data gathering, storage, sharing, processing, and destruction of protected information to occur legally and fairly, comply with industry best practices and obtains the appropriate data subject consent.

Duty of confidentiality: The data controller must implement reasonable policies, tools, and practices to mitigate foreseeable events that might cause the data or information about a data subject to be leaked, compromised, used, or shared against the consent of the data subject. confidential, and must not be used for the benefit of persons not authorized by the client.

Duty of disclosure: The data controller has a duty to disclose a reasonable amount of information about the scope and type of data, acquisition date, sharing intensity, sharing partners, and the purposes of the processing with the data subject.

Duty of loyalty: The data controller has a duty to handle (gather, protect, process, disclose, or share) highly confidential, most sensitive, and legally protected information solely in the interest of the data subject.

Avoid the practice of unilaterally imposing privacy laws on everyone delivering services via the Internet. One of the temptations that has to be resisted is the tendency to impose a good standard or law on everyone by legislative or procedural fiat. This is particularly problematic when only one solution has been developed. Consider what would have happened if the government had banned the development of any new car after the Ford Model T was introduced.

The benefit of imposing a standard on everyone is apparent. If something is made a standard by law, it is adopted because of the cost of doing business. The downside of such a plan is that it crowds out innovation and other options that could be better than the first. Given the historical, cultural, technical, innovative, and legislative diversity worldwide, it is plausible to expect that privacy protection can be accomplished in multiple ways. The preferable approach might be for each protection approach to have a specific jurisdictional boundary. That way, there would be the opportunity for other regional powers to create other approaches that achieve the same ends. If privacy protection is a passive right, there is no reason why it should be imposed on everyone, everywhere.

Redefine the root cause of privacy breaches as the absence of risk definition, detection, and mitigation. The main argument here is that privacy breaches occur primarily due to a lack of awareness of processing risks and or a lack of adequate response to processing risks. In other words, the process does not jeopardize data subjects' privacy. Instead, the execution of processing without or before the deployment of appropriate mitigations or privacy controls undermines a subject’s privacy protection. According to this principle, one can state that privacy threats are likely to occur whenever existing privacy risks are not resolved, emerging privacy risks are not detected, or when the mitigations deployed are inappropriate or insufficient to contain such risks.

Recast the principle for ensuring data protection to be the minimization and mitigation of high-risk applications and processing. A different principle that I propose here is that the data subject's privacy can be protected the more an organization avoids running risky processes. Rather than restricting every processing instance of personal data processing. This will require a change where data processing no longer needs justification based on the law. In other words, data can be processed once the operation of the process is judged to be within the risk profile, in which privacy risks can be excluded if the subject has authorized the purpose. This change will create a new mindset and scheme which is neither anti-processing nor anti-sharing.

Integrate mechanisms in the privacy protection law to enable practitioners to differentiate low-risk from high-risk applications. One of the meaningful differentiations that the US privacy law should accomplish is offering guidelines that would enable data controllers and data processors to identify high-risk and low-risk processes. This is one of the areas of the law that would benefit from the input of experts from the private sector. Identifying the “correct and perfect way” to classify such processes might not be necessary. Instead, it would be sufficient to use the consensus of experts in the industry or sector.

Integrate exemptions in the privacy protection law to accommodate the difference between low-risk and high-risk processes and for entities transferring their duties to third parties. A privacy law that takes a different approach than the GDPR would include exemptions for low-risk processing scenarios that typically occur with SMEs, startups, non-commercial entities, or private citizens. Furthermore, the law should also accommodate the scenario in which an organization transfers its data controlling and processing responsibilities to third parties. In such cases, the organization transferring its responsibilities to a third party would get exemptions for the duties associated with such processing. On the other hand, the third-party processor will have to acquire those duties and be responsible for legally performing them.

Shift from bureaucratic administration to private-sector monitoring. Ninth, the GPR relies heavily on government monitoring and administration of GDPR privacy compliance. This means an extensive bureaucratic system is needed to manage the compliance regime. The focus on privacy protection also means that punishment and fines will be levied on a company when it is found to have violated privacy norms and practices, not when it has processed data non-compliantly. For example, an organization would not be punished for gathering and storing more data needed for a purpose but for failing in its fiduciary duties to promote the privacy of data subjects and adopt higher privacy-enhancing schemes and means that must match the risk exposure of particular processing.

A focus on data privacy would mean that privacy rights management technologies could be created to set privacy rules for personalized data and to prevent unauthorized persons from infringing on the privacy of data subjects. Hence, data controllers could more easily manage customer privacy protection with sophisticated software.

Why should you care about the redevelopment of the GDPR?

At first glance, it seems that only Big Tech companies should care about revamping the GDPR. After all, they are the ones getting huge fines. It is also understandable that some people might think Big Tech is getting what it deserves.

My own complaint against Big Tech companies is that they have too much power and often exercise it in questionable or monopolistic ways. I am neither opposed to Big Tech companies nor to the EU in principle, but I would like to make sure that neither side can exert undue or arbitrary power.

Most privacy professionals, company executives, and even data subjects are sensing that something needs to be changed about the current GDPR approach and enforcement. This change is less likely to come from the EU Parliament members. This is because the GDPR is still considered by many to be a fantastic achievement of the EU. What could likely bring some change is if a country like the US developed a different privacy approach that would bring choice and a new perspective into this important segment of protection of the privacy of data subjects. I hope that this piece contributes in some way to such an effort.

Please leave me your comments; I am always interested in learning and developing ideas further.