Et Tu, Facebook?
Tyler J. Owen
Vol. 40 Executive Editor
“Many people say data is the new oil—the oil of the twenty-first century. . . . If data is the new oil, then data protection is the new pollution control.” We live in a data-centric world. From our Cyber Monday purchases to the political pages we follow on social media, nearly everything we do online may be logged by firms that have a monetary interest in our data. This generally is not a bad thing. The standard ad-based business model provides access to internet services for many people who otherwise would not (or could not) participate in subscription-based models. And most of the data collected—as well as the manner in which they are used—are often unobjectionable to even the more private Internet users; this is especially true when firms only use data for their own purposes. Yet concerns obviously arise when these data are accessed by other firms absent users’ consent: like when Facebook’s policies led to the disclosure of nearly 87 million users’ personal data to political consultancy Cambridge Analytica ahead of the 2016 U.S. presidential election. Or when Facebook data are unlawfully accessed by third parties, as the most recent Facebook breach demonstrates. In these cases, users trusted Facebook with their data, and users were let down. Given the uncertainty of whether Facebook (and other similar companies) will actually be held accountable for data disclosures like these, a thoughtful review of the patchwork of American laws governing data privacy is certainly in order. But even if Congress were to comprehensively reform this country’s data privacy laws, such reform alone may be inadequate to safeguard Americans’ rights to data privacy. Like atmospheric pollution, personal data have a distinct capacity to evade the confines of national borders. Domestic laws are therefore often inadequate. An international legal regime that establishes a set of fundamental principles, on which both consumers and data firms (or at least some of them) can agree, may come closer to solving the problem. The General Data Protection Regulation The European approach is instructive. Through the General Data Protection Regulation (GDPR), which took effect this past May, the European Union cemented personal data protection as a “fundamental right” for all within the Union. The GDPR broadly defines “personal data” as “any information relating to an identified or identifiable natural person . . . .” It places strict requirements on the collection, processing, and security of personal data entrusted to vendors. And it has a remarkably international reach—even well beyond the European Union. At bottom, the GDPR recognizes that “personal data belongs to the person.” Its underlying principles for data processing are implemented by empowering consumers with greater control over their data and by imposing robust consent requirements on firms regarding the use of personal data. The GDPR gives consumers the right to access data held by any firm at any time and to demand that any firm rectifies inaccurate or incomplete data to fit the specified purposes for which the data were collected. Consumers also are granted a “right to be forgotten,” through which they can request that all their personal data held by a firm be wholly erased “without undue delay,” under certain circumstances. Further, the GDPR imposes requirements on firms relying only on the consent provided by consumers to access their data. Any firm’s request for consent must be in “clear and plain language” and “presented in a manner that is clearly distinguishable” from other matters. Consumers also have the right to withdraw consent at any time, and “it shall be as easy to withdraw as to give consent.” Finally, the firm must be able to demonstrate that the consumer in fact consented to the data collection and processing. In short, the effect of the GDPR is to standardize the rules of the game for handling personal data. Although perhaps not perfect, the GDPR serves as an instructive model for comprehensive reform of international data privacy laws. Moving Forward: Prioritizing Consent As breaches like the ones affecting Facebook in the last year highlight, the data privacy protections available under American law is complicated, incomplete, and unclear at best. The forms of legal recourse currently available in the United States are limited in that they often may fail to provide sufficient incentives to deter the unlawful disclosure of personal data. In short, these remedies are often retrospective in nature. But a policy fix that is prospective in nature, like one that places more robust requirements on firms collecting data through users’ “consent,” may be appropriate. But as alluded to above, a purely domestic approach may be inadequate. Data easily flows across borders (and may even be stored on servers located abroad—which itself makes enforcement of domestic privacy regulations complicated). Instead, an international regime would be ideal. While there are no uncomplicated solutions to the problem presented here, a more direct approach may be preferable. The United States could, for instance, enter into a treaty with the European Union, adopting the GDPR’s consent requirements (and the corresponding responsibilities that are imposed on firms). In so doing, firms attempting to collect Americans’ personal data per their consent would have to ensure that the user’s consent is informed and presented separately from any consent request for collecting other information. This would mean that instead of tucking notices of data collection away in rarely read privacy policies or terms of service agreements, firms would have to ensure that their consumers in fact know which of their data are being collected by the firm. This emphasis on a more informed consent standard would certainly represent a step in the right direction for protecting consumers’ privacy online. And to the extent that some of the GDPR’s more innovation-stifling requirements may be met with opposition from American business leaders (for example, the 72-hour breach notification requirement and the requirement to obtain prior-authorization before processing data in new ways), these provisions could be omitted from this first-step solution. Not only is prioritizing consent a user-friendly policy, it is also one that many American businesses (particularly those interacting with European consumers, but also some others) are already implementing to comply with the GDPR. A consent treaty between the United States and the European Union may also have the added benefit of simplifying existing cross-Atlantic data agreements, although the precise implications obviously would depend on the agreement ultimately enacted. Conclusion While it is impossible to adequately discuss a topic as complex as data privacy in a single blog post, the preceding attempts at least to flag the issues most relevant to protecting Americans’ privacy rights online. And while there are countless solutions available, policy makers should prioritize reforming consent standards. Although this would likely not be the only long-term reform needed, it would be a good first step—and would have the primary (and much needed) effect of providing more clear and effective data privacy protections to millions of Americans.
 Democracy (Indi Films 2017).  Kevin Granville, Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens, N.Y. Times (Mar. 19, 2018), https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html.  Mike Isaac & Sheera Frenkel, Facebook Security Breach Exposes Accounts of 50 Million Users, N.Y. Times (Sept. 28, 2018), https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html.  See Granville, supra note 2. That is, of the tens of millions of Facebook users whose data was accessed by Cambridge Analytica, only roughly 270,000 users actually consented to release any data to the survey employed by Alexandr Kogan, a Cambridge Anayltica affiliate; but through this ‘consent,’ every one of these 270,000 survey-takers’ friends’ data—and the data of those friends—were shared with the survey application. Id.  Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, Council on Foreign Rel. (Jan. 30, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection (“Most Western countries have already adopted comprehensive legal protections for personal data, but the United States—home to some of the most advanced, and largest, technology and data companies in the world—continues to lumber forward with a patchwork of sector-specific laws and regulations that fail to adequately protect data.”); see also James Grimmelmann, Internet Law 294–95 (8th ed. 2018) (describing the U.S. approach to data protection as “sectoral,” and providing examples of American data protection laws including the Video Privacy Protection Act, the Children’s Online Privacy Act, and the Health Insurance Portability and Accountability Act).  Cf. Democracy, supra note 1 (comparing data protection laws to pollution regulations).  Commission Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), preamble, 2016 O.J. (L 119) 1, 1, 87 [hereinafter General Data Protection Regulation].  Id. at 33. Compare the GDPR’s broad definition with the Ninth and Third Circuits’ definition of “personally identifiable information” for purposes of the Video Privacy Protection Act of 1988: “information that ‘readily permit[s] an ordinary person to identify [a particular individual as having watched certain videos].’” Eichenberger v. ESPN, Inc., 876 F.3d 979, 985 (9th Cir. 2017) (alterations in original) (quoting In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 290 (3d Cir. 2016)).  Id. at 35–37, 51–53.  This is so in three ways. First, the GDPR applies equally to all firms physically located within the European Union, regardless of whether their consumers are within the Union or not. Id. at 32–33. Thus, American citizens (or any other non-Europeans, for that matter) who send data to an EU-based firm would be protected by the GDPR. Second, the GDPR applies to the processing of personal data of any individual, citizen or not, who is physically situated within the European Union. Id. This consumer-focused jurisdiction means that entities physically located outside the Union’s borders could be subject to the GDPR (as long as they are either “offering goods or services” to, or “monitoring the behaviour” of, those within the Union). Id. Finally, the GDPR also applies to firms not physically within the European Union, but that are nonetheless located “in a place where [EU] law applies by virtue of public international law.” Id.  Democracy, supra note 1 (quoting EU Commissioner Viviane Reding in an oral statement to reporters regarding the GDPR).  The GDPR was founded on six primary principles for data processing: personal data should be (1) processed “lawfully, fairly, and in a transparent manner”; (2) collected for “specified, explicit and legitimate purposes,” and processed only within the scope of that specified purpose; (3) “adequate, relevant and limited to what is necessary” to serve the specified purpose; (4) accurate, which may impose burdens on firms to take “every reasonable step” to ensure that inaccurate data are “erased or rectified without delay” to fit the specified purpose; (5) stored only so long as is necessary for the specified purpose; and (6) appropriately secured against “unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Id. at 35–36.  Id. at 40–42.  Id. at 43.  Id. at 43–44. Some circumstances in which a consumer has a right to erasure of data include, among other situations, when the personal data “are no longer necessary” to achieve the purpose for which they were collected, or when the consumer withdraws consent. Id. at 43–44.  See id. at 37; see also id. at 34 (“‘[C]onsent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data . . . ;”).  Id. at 37.  Id.  Id.  See Josephine Wolff, Opinion, Why It’s So Hard to Punish Companies for Data Breaches, N.Y. Times (Oct. 16, 2018), https://www.nytimes.com/2018/10/16/opinion/facebook-data-breach-regulation.html (noting that the GDPR’s fines are “so harsh that regulators will never be able to impose the maximum allowable penalties”).  See O’Connor, supra note 5 (“[R]ecord-shattering data breaches and inadequate data-protection practices have produced only piecemeal legislative responses at the federal level, competing state laws, and a myriad of enforcement regimes.”).  See id.; cf. also 15 U.S.C.S. § 45 (LEXIS through Pub. L. No. 115-140) (authorizing the FTC to prosecute claims of unfair methods of competition against firms); Laura Sydell, FTC Confirms It’s Investigating Facebook for Possible Privacy Violations, N.P.R.: Two-Way (Mar. 26, 2018, 6:31 PM), https://www.npr.org/sections/thetwo-way/2018/03/26/597135373/ftc-confirms-its-investigating-facebook-for-possible-privacy-violations (noting that Cook County, Illinois filed suit against Cambridge Analytica and Facebook under “Illinois’ fraud law”); Kevin Granville, Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens, N.Y. Times (Mar. 19, 2018), https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html (noting that Massachusetts is investigating Cambridge Analytica and Facebook, and that “Facebook’s lack of disclosure on the harvesting of data could violate privacy laws in Britain and several states”).  See Wolff, supra note 20 (“What happens to the companies that allow our personal data to be stolen? In most cases, nothing. Sometimes there is a short-lived flurry of bad publicity, a brief dip in stock prices, a class-action lawsuit or a Federal Trade Commission investigation that leads to a token settlement or fine.”).  See General Data Protection Regulation, supra note 7, at 37.  See, e.g., United States v. Microsoft Corp., 138 S. Ct. 1186 (2018) (finding that the CLOUD Act—which now forces companies like Microsoft to comply with warrants to disclose personal data located even on foreign servers—rendered the case moot).  See General Data Protection Regulation, supra note 7, at 37.  See General Data Protection Regulation, supra note 7, at 53.  See id. at 53–54.  Adam Cohen & Howard Schiffman, Why Companies Should Be Grateful for the GDPR, Law 360: Expert Analysis (June 29, 2018), https://www.law360.com/articles/1058819/why-companies-should-be-grateful-for-the-gdpr (noting that “many U.S. businesses” have taken steps to comply with the GDPR).  See, e.g., Privacy Shield Framework, 81 Fed. Reg. 51,042 (Aug. 2, 2016) (establishing a legal framework under the EU-U.S. Data Privacy Shield, allowing American companies to gain “adequacy” determinations to lawfully accept data transfers from the European Union under the GDPR). The views expressed in this post represent the views of the post’s author only.