France made headlines on 21 January 2019 for fining Google US$57 million – the first large fine to be issued for violations of the European Union’s newly implemented General Data Protection Regulations. GDPR, as it’s called, is meant to ensure consumers’ personal information is appropriately used and protected by companies. It also creates procedures to sanction companies who misuse information.
According to French data privacy agency the National Commission on Informatics and Liberty (CNIL), which levied the fine, Google didn’t clearly and concisely provide users with the information they needed to understand how it was collecting their personal data or what it was doing with it. Additionally, CNIL said Google did not obtain user consent to show them personalized advertisements. For its part, Google may appeal.
This case demonstrates the increasingly prominent role that the EU intends to play in policing the use of personal information by major companies and organizations online. The U.S. lags behind Europe on this front. As a researcher who studies computer hacking and data breaches, I’d argue the U.S. may have ceded regulatory powers to the EU – despite being the headquarters for most major internet service providers. Why has the U.S. not taken a similarly strong approach to privacy management and regulation?
Do individual Americans even care?
There’s no single answer to why the U.S. hasn’t taken similar measures to protect and regulate consumers’ data.
Americans use online services in the same way as our European counterparts, and at generally similar rates. And U.S. consumers’ privacy has been harmed by the ever-growing number of data breaches affecting financial institutions, retailers and government targets. The federal government’s own Office of Personnel Management lost millions of records, including Social Security numbers, names, addresses and other sensitive details, in hacks. My research demonstrates that hackers and data thieves make massive profits through the sale and misuse of personally identifiable information.
It is possible that years of constant breaches have created a sense of “breach fatigue.” Maybe Americans no longer react to the loss of information because it seems there’s nothing we can do to stop the problem.
There may also be generational differences in the perceived value of personal privacy in online spaces. Millennials, who have only known a world with the internet and social media, seem more willing to disclose personal details through online platforms compared to older groups. However, several studies suggest that younger generations may be willing to do so simply because they are not as aware of the threats they face from online data collection and mismanagement as older generations are.
At the same time, studies demonstrate consumers may be willing to provide personally identifiable information in certain circumstances, especially if they may gain some benefit. They likely do not fully comprehend how and why information collection poses a threat to their overall privacy.
Companies don’t want these regulations
Social media sites’ and internet service providers’ resistance to external regulation is also a likely reason why the U.S. has not acted.
Facebook’s practices over the last few years are a perfect example of why and how legal regulation is vital, but heavily resisted by corporations. After hearings and investigations into the role of Facebook in distributing Russian political disinformation, as well as in the Cambridge Analytica scandal, Facebook implemented a new set of political transparency rules to help individuals understand who paid for content and why it’s being shown.
Meanwhile, Facebook executive management took extraordinary steps to target public critics calling for increased oversight, sowing confusion as to why Facebook should be regulated at all. And past attempts to regulate the platform appear to have been ignored by Facebook for years.
If the providers won’t protect data privacy on their own, I believe that the government needs to implement increased regulatory guidelines.
Should the U.S. continue on its current path, it faces a substantial risk not only to personal information safety, but to the legitimacy of governmental agencies tasked with investigating wrongdoing. Many tech researchers, including myself, already see this happening in law enforcement investigations of cybercrime. The transnational nature of these offenses, coupled with a lack of reporting to police, has reduced the ability of local, state and federal agencies to respond.
Corporate entities are filling the regulatory gaps in cyberspace, whether it is in the response to computer hackers or the removal of child pornography. If the U.S. continues to allow internet service providers to regulate themselves with minimal external controls over data privacy, it is not clear how to ever regain this lost ground.