California’s vision of regulation through innovation
Since the mid-nineties Europe and the US have diverged on how to handle personal data. On the EU side the view has been that the user should have control over how the data they created is stored and processed. The US took the opposing view that user data is owned by the platform it was generated on.
From Safe Harbour to Privacy Shield to the current EU-US Privacy Framework, cross territory agreements on access to and use of personal data have been fraught with complications. No better is this illustrated than in the General Data Protection Regulation (GDPR), an ideological faultline that puts the onus on companies to protect their users or face substantial penalties up to 4% of global turnover.
The transtlantic response has been a mixture of outrage and introspection. Lessons are being learned and, in the cases of California’s Consumer Privacy Act and Delete Act there is even room to find ways to make it even easier for US consumers to exercise control over their data.
Microsoft national technology officer for Ireland Kieran McCorry knows all about the political football of user privacy. He argues that while the idea of physical territories is an archaic concept in the digital realm there remains a real world need for legal frameworks.
“The EU has a strong focus on fundamental rights and freedoms in relation to privacy and this dates right back to the Universal Declaration of Human Rights [in], the European Convention of Human Rights and, most recently, the Charter of Fundamental Freedoms of the European Union. Those last two show a very clear right to privacy for EU citizens,” he says. “The US is less focused on fundamental rights and more on sectoral protections, for example healthcare or financial services. What they lack is a fundamental right to privacy like that what underpins GDPR and it’s responsible for the tension between entities like the EU.”
McCorry is enthusiastic that California, a state reliant on the tech sector, is at the forefront of efforts to bring the US into line with GDPR or something like it. The California Consumer Privacy Act (CPA) could be the model a US equivalent of GDPR might function and it has an unlikely ally in the tech sector.
“The tech sector has been responsible in part for driving the CPA,” he says. “Like GDPR it’s focused on making sure there are appropriate protections and consent for processing and the use of data. You can’t just harvest data and go use it for your own purposes without consent or some form of legal basis. That’s what the CPA provides and a set of actions should your data be processed incorrectly or inappropriately.”
One aspect where the California is definitely moving beyond GDPR is with the Delete Act – where users can have a one-stop shop for having their online presence removed. While this riht already exists in the EU there is no easy way to have incorrect, irelevant or inaccurate information expunged. McCorry says the idea is sound but the execution is fraught with problems.
“If there’s no reason for some entity to hold my data or if I withdraw my consent for that entity to use it then it has to be removed,” he says. “This also encompasses the notion of correcting incorrect data but if you withdraw your consent for that data to be processed it has to be removed. However, there are exceptions – for example if an organisation needs to hold on to it for some statutory or regulatory reason. That notion is new to the US but has been long established in European Union law through the 1995 directive through to GDPR. That’s not to say it’s perfect. It seems fairly straightforward: Entity A holds data about Person B who wants that data removed, you would think ‘well I can just submit the request and it gets deleted’ but it’s often very difficult for organisations to comply.”
McCorry says it’s a problem that extends all the way up the industry from the small office with a bad filing system to multinationals where everything is where it shouild be, only distributed globaly.
“There have been quite a number of interesting cases since GDPR came online – a big one was Google versus the French Data Protection Authority where an individual said ‘my data is being held in a search engine, and been indexed, so I want it removed. It was very difficult Google to implement all of that,” he notes.