Digital privacy

Do people have a privacy right to control the personal information gathered when they use social media?

A broad bipartisan consensus is yes, they should.  However, attempts to pass a national data privacy act were piecemeal, with legislation in California and Virginia but not across the US.

The American Privacy Rights Act, proposed in Congress in April 2024, is the most recent approached to the question. The legislation would provide a national standard and harmonize US data privacy with Europe’s  General Data Protection Regulation (GDPR).

APRA does what many state laws have already required:

• Gives consumers access to data held by large social media profiling companies about themselves
• Allows consumers to review and edit
• Gives consumers the option to withdraw from profiling
• Gives a private right of action, allowing citizens to sue

The state laws differ in the mechanics of enforcement and the definition of social media profiling companies, which are often advertising and data processing companies working independently of social media such as Facebook, Twitter, etc.

Democrats would like to see stronger elements in areas like child protection, technology companies like Microsoft say they welcome a national law that clarifies the rising patchwork of state laws. At present the main US data privacy law is the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act. Rather than being compatible with the GDPR, the  CLOUD Act overrules it, according to  some industry observers.

Data privacy in the EU

The EU General Data Protection Regulation (GDPR) governs how personal data of individuals in the EU may be processed and transferred. It went into effect on May 25, 2018.   It’s a comprehensive privacy policy  that applies across all business sectors and to companies of all sizes, including any operating but not based in the EU.

The GDPR requires that:

• Digital media companies ask users for consent to be tracked online
• Users have the right to access and correct information about them
• Users may erase links to information about them under most circumstances
• Digital media companies keep records of their interactions with users.

The teeth in the laws:  Until recently, many people thought the laws were not being enforced.  On Sept. 5, 2022, the Irish Data Protection Agency fined Instagram €405 million for violations of the GDPR for mishandling information tracking children.

New European regulations on digital privacy will take effect in 2023 and 2024.  As part of the new push to improve digital privacy, the EU fined Facebook / Meta   1.2 billion Euros for privacy violations on May 22, 2023.

Europeans have a long history in this area.  The Nazi regime used personal data sets and IBM computers to target Jewish people, with horrific results. The East  German communist secret police — the Stasi — kept track of everyone from the end of World War II until 1989. When the Berlin Wall fell, inaccurate Stasi data created an enormous amount of conflict.

 

Further Reading

• Robert E.G. Beens, “The Privacy Mindset of the US versus the EU,” July 29, 2020 Forbes magazine
• Anjali Das, “Trifecta of state privacy laws,”   Sept. 2022, National Law Journal
• What is the GDPR?  by the GDPR.
• Morgan Meeker, “The EU Has a Plan to Fix Internet Privacy: Be More Like Apple,” Wired Magazine, Jan. 25, 2022.