What impact will a Data Protection Act have in the US? [Q&A]
The US Congress is currently considering whether to pass a bill to create a Data Protection Act which would set up a federal data protection agency.
The bill, introduced last month, spells out how the agency would enforce data protection and privacy rights, putting Americans in control of their own data. But what exactly does that mean? And how would a bill with the sole goal of protecting individuals’ data effect the tech, financial and healthcare industries?
We spoke to Mike Capps, former Epic Games president and current co-founder and CEO of responsible AI startup Diveplane, for his unique perspective as someone with a past in the consumer (and data-heavy) industry of video games, as well as having a future in changing how we use and protect our data through ethical AI applications.
BN: Do you think the US is ready to adopt a bill like the Data Protection Act?
MC: The time is right to create a unified approach to data protection in the US. Industries must already deal with the impact of local privacy legislation, like California's CCPA. That said, any legislation has to be written with the input of the industries and companies that are going to have to implement the measures to address the legislation as well as consumer protection groups. Ambiguity and uncertainty in the legislation will cause issues with implementation and therefore erode the value to consumers and individuals.
BN: What are some of the biggest flaws you see in the bill as it's been presented?
MC: The ecosystem of companies that control and process data are complex. The proposed legislation does not differentiate between those who are in primary control of data and those who have limited access and ability to use the data, such as those that are paid to process data on a primary company's behalf. Privacy regulations, such as HIPAA and GDPR, differentiate between those with primary responsibility (e.g., the Covered Entity in HIPAA) and those with subjugated or secondary responsibility (e.g., the Business Associate of HIPAA). More particularly, in most industries companies with particular expertise are hired to perform certain functions or processing on behalf of those with primary access to and responsibility for data. Responsible national privacy regulation would appropriately differentiate responsibilities depending on a company’s relationship to the data.
BN: Are there any changes you'd make?
MC: We would propose that the duties of the companies in primary control of data are distinguished from the duties of those with secondary control. This is a well-established principle in GDPR (Controller and Processor) and HIPAA (Covered Entity and Business Associate). Additionally, pre-emption by federal law over state law is a well-established principle which allows for a nationally coherent approach to the rule of law. As drafted, this bill erodes aspects of federal pre-emption. This erosion increases uncertainty and make compliance more difficult. National legislation is important in order to improve certainty for both companies and individuals. The more certainty and coherence that federal privacy regulation can provide, the more coherent the compliance approaches of individual companies will be, and the better companies can protect the data of individuals.
BN: What effects do you think a law like this would have on the technology industry in the US?
MC: Currently, US data privacy protection is provided by a scattershot of local laws, and enforcement is inconsistent, even at the federal level. Federal legislation and enforcement, especially with traditional federal pre-emption over state law, would provide far more certainty to individuals who want to keep their data private and companies who will strive to protect people’s privacy.
BN: What about the healthcare and finance industries?
MC: The healthcare and finance industries already have world class privacy protection for personal data under, respectively, HIPAA and the US financial data protection laws. There should not be additional controls on such data. Therefore, any new privacy legislation should have exemptions for data already protected under existing federal legislation. For data that is not already protected under existing federal legislation, companies in those industries already have controls in place for data privacy. Assuming that new federal data privacy regulation is passed with input from industry and consumer protection groups, health care and financial companies should be well equipped to handle the new privacy regulations.
BN: How do you think consumers and businesses could best prepare themselves for a law like this to be passed?
MC: The most important thing for the legislature and companies to do at this point is to engage in open dialogue. Legislation needs to be drafted with consideration of the complex nature of modern business and technology and the needs of individuals. This will provide more certainty to both consumers and companies striving to protect those consumers' data.
BN: The bill proposes providing resources for companies, like 'Privacy Enhancing Technologies.' How likely is it that artificial intelligence would be used here?
MC: There are privacy enhancing techniques, which can be implemented in technology, that should be adopted, such as thoughtful safe harbors. Thoughtful safe harbors on aggregation and synthetic data will provide data privacy while allowing innovation, and many companies will happily operate in the space of the safe harbors. Such safe harbours will simplify companies' compliance, and therefore also increase individuals’ data privacy and simplify enforcement.
BN: Do you think artificial intelligence adoption for data protection purposes -- apart from what the bill provides -- would increase within businesses following this bill going into effect?
MC: Certainly. Many companies would like to innovate on their data while fully protecting the privacy of individuals' data. Many artificial intelligence techniques allow for that. For example, whether adopted as a safe harbor or implemented as a privacy control, synthetic data generation can be based on artificial intelligence techniques. Synthetic data can be generated in a way that will allow for innovation while protecting the data privacy of individuals.