By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.
Cisco yesterday “issued a call to governments and citizens around the world to establish privacy as a fundamental human right in the digital economy,” according to a Cisco press release.
Other Big Tech companies have already endorsed drafting a federal privacy law, as reported by Ars Technica in Cisco, like Apple and other tech giants, now wants new federal privacy law.
Is this a sign that tech executives have suddenly developed misgivings about how the companies they’ve created collect and misuse our data?
No, not exactly.
As the New York Times reported in August, in Tech Industry Pursues a Federal Privacy Law, on Its Own Terms, in the wake of California adopting a sweeping privacy protection law:
In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.[Jerri-Lynn here: my emphasis.]
“We are committed to being part of the process and a constructive part of the process,” said Dean Garfield, president of a leading tech industry lobbying group, the Information Technology Industry Council, which is working on proposals for the federal law. “The best way is to work toward developing our own blueprint.”
What Has Cisco Proposed?
Let’s turn to that Cisco press release again, in which the company urges three basic principles for US data privacy legislation:
- Ensure interoperability between different privacy protection regimes;
- Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus;
- Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.
And now, let’s examine each of these in turn.
First, Ensure interoperability between different privacy protection regimes. The EU implemented its General Data Protection Regulation (GDPR) in May 2018, a change EU GDPR.org called “the most important change in data privacy regulation in 20 years”(for a summary see here).
What Cisco recognizes in making this recommendation is that any change the US would make to its privacy protection regime would need to mesh with the EU framework. I’m not going to focus on this point here, but will instead focus on Cisco’s other two points, which concern US domestic privacy law.
Second, Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus. The stated concern – over “fracturing” – merely refers to the cost of having to comply with multiple state regulatory regimes. A recent post in the New Jersey Law Journal, The California Consumer Privacy Act: What You Need to Know, for example, outlines what criteria trigger obligations by businesses outside the state to comply with the new California statute. And my post from yesterday, Illinois Supreme Court Affirms Biometric Privacy Law, Clearing the Way for Lawsuits, discusses one law firm’s assessment of what steps businesses that have employees in Illinois or that operate in the state should consider to avoid liability under the state’s biometric statute.
Cisco’s call to replace this fractured system with a uniform national framework rejects the position Supreme Court Justice Louis Brandeis set out 1932: that states should act as “laboratories of democracy”, assaying their own policy experiments, before the national government acts on an issue. The best recent example of this I can think of is Colorado’s decision to legalize marijuana five years ago. But there are many other such experiments that have been successfully undertaken, and implemented at the state, and city level — some of which — such as California’s emissions framework – that have then been taken up at the national level.
What Cisco and Big Tech especially fear: California’s privacy framework, which comes into effect in 2020. And the concern is not limited to compliance with the provisions of this flagship data protection statute, but also, as I wrote in this December post, Advertising Trade Association Presses for Federal Data Privacy Regulation, a recognition that large companies may have less coercive influence over state legislatures and policymakers than they do at the federal level:
Undoubtedly a huge unmentioned motivating factor, as far as data procurers, users, and brokers are concerned, is that the governments of some states – including California – have not been captured to the same extent as the federal regulatory apparatus. So on occasion, states may either enact meaningful consumer protections, and in some instances, state legal officers actually attempt to enforce them.
I am of course well aware that a certain amount of grandstanding occurs at the state level, but nonetheless, the situation is not nearly as dire as the federal state of play — where the deterioration, I should point out, in public policies even remotely reflecting popular opinion and majority needs, occurred well before Trump was inaugurated.
Third, Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation. This brings us to the heart of the matter. Big US corporations fear lawsuits. The taming of the Justice Department and various regulatory agencies, including the Securities and Exchange Commission and the Environmental Protection Agency, in enforcement matters means that private lawsuits are one of the sole remaining means ordinary people can use to try to redress grievances.
As an aside, I should mention that regular readers know this deterioration is not something that occurred on Trump’s Watch. I’ll spare you a recitation of the litany of citations to previous posts on his immediate predecessor’s failures in this regard, but will be happy to discuss some of them in comments, if there’s interest.
As to lawsuits, I recognise there are huge obstacles to bringing and prevailing in these, especially in class actions. These obstacles have increased, and indeed accelerated, since at least the Clinton administration, as part of a considered campaign in which corporate lobbyists – acting on behalf of potential corporate defendants- have largely prevailed.
- statutory changes, such as the the Private Securities Litigation Reform Act (1995) and the Class Action Fairness Act (2005);
- Supreme Court decisions, including imposing restrictions on punitive damages, upholding mandatory arbitration clauses, and interpreting standing and pleading requirements;
- seating business-friendly friendly judges, which the Trump administration has excelled at, building on previous framework constructed by his predecessors (and not just the Republican ones); and
- funding and pursuing “legal reform” or “tort reform” campaigns, which include financing judicial campaigns, particularly for the highest state courts – where judgeships are often elected positions; and changes to state laws.
What Is To Be Done?
I’m glad to see Cisco espousing the importance of data privacy as a “fundamental human right”– even if this is a mere rhetorical exercise.
I fear, however, once the current Congress considers this issue, that the federal data privacy regime they will enact will be much worse than the current state of play. Corporate Democrats rely too much on tech money for campaign finance to construct a system of tight restrictions, and progressive Democrats have their eyes set on different prizes — Medicare for All, the Green New Deal, tax increases on the wealthiest. Although there are some Republicans who espouse libertarian principles, I think it unlikely that the Trump administration nor many influential Republicans, will take up the challenge of safeguarding our privacy.