Senators aim to give internet companies doctor-like duties to protect our data

Consumers are increasingly entrusting online services with all kinds of personal data — but that trust has been repeatedly abused or taken for granted. If a doctor or a lawyer did that, they’d be kicked to the curb, because they have a legally defined duty to protect privileged data. Why don’t Facebook and Google? They might soon, via the Data Care Act.

This bill, proposed today by Senator Brian Schatz (D-HI) and co-sponsored by 14 more Democrats in the Senate, would essentially establish a set of consumer protection duties, defined and enforced by the Federal Trade Commission, preventing tech companies from knowingly doing harm to their users.

Do no harm

It’s inspired by, though very different from, what is called a “fiduciary,” a concept that encompasses doctors and lawyers, among others, whom people really have no choice but to trust. When you go into the doctor’s office or meet with your lawyer, you don’t sign waivers saying which parts of the conversation can be used to target you for advertising or build a database for an AI paralegal. You just trust that the person you’re giving your personal information to won’t use it in a way that causes you any harm.

Sure, doctors take an oath — but there are legal protections as well, and serious consequences for those who act in bad faith from a position of power over their clients or patients. Senator Schatz and his co-sponsors feel that a company like Facebook is now in a similar position, in which consent isn’t meaningful: the balance of power has tilted too far to the companies’ side.

“It is not realistic in today’s digital world to suggest that people could simply forgo online services and websites if they object to the way their data is being used,” said co-sponsor Sen. Maggie Hassan (D-NH) in a press release announcing the bill. “Online service providers should be required to act in the best interests of their customers, just like providers of other critical services.”

“A lot of attention, appropriately, has been paid on the privacy front to transparency and control,” Sen. Schatz explained in a press call. “Those are important conversations but there’s been very little in the public policy setting — not enough conversation about what happens after the data has been collected. And to me that ‘s a more important and consequential problem.”

The idea has been brought up before, notably by Yale’s Jack Bardin and Harvard’s Jonathan Zittrain, whom Sen. Schatz has previously cited.

His proposal, obviously now only in the earliest stages since it has only just been announced, is to establish some basic “duties” companies must make reasonable efforts to fulfill. As the release puts them:

  • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data.

If those seem a little woolly, that’s on purpose (though they’re considerably more specific in the text). The bill isn’t meant to create the specifics of those duties, only the general shape of them, at the same time authorizing the FTC to figure out the details, creating and modifying rules as it sees fit.

Limits of legislation

“The moment we’re too prescriptive in the statute about what’s allowed and not allowed, the general councils and chief soft engineers will sit down and start to code around it.”
Sen. Schatz took this approach because he was has seen firsthand tech’s agility when it comes to regulation.

“From my observation and experience, the moment we’re too prescriptive in the statute about what’s allowed and not allowed, the general councils and chief software engineers will sit down and start to code around it,” he said. The solution is to “lay down broad principles and then empower the expert agency,” which is standard practice for regulating fast-moving industries.

If the bill became law, the FTC would go through the normal rulemaking process, consulting experts, industry, and political authorities to figure out what constitutes, for example, “reasonable” security measures. Once those were in place, it would have the authority to enforce them as well.

“One of the reasons I like using the FTC is they’re hard-nosed regulators that know what they’re doing and have not become a political lightning rod,” Sen. Schatz said. Notably the law does not actually call or classify these companies as fiduciaries, because “when we said fiduciary, every lawyer’s head exploded,” the Senator explained.

One major difference between this and existing fiduciaries is that lawyers have bars and doctors have medical licenses, among other things — local expert authorities that examine and judge conduct. Obviously there’s no such thing for tech or internet companies.

I asked the Senator about this; his feeling was that fractured authorities like those work in some ways but with tech and internet issues jurisdiction is much more naturally federal or interstate. It would be (and is) a mess trying to figure out whether to apply Illinois’s Biometric Information Privacy Act to a person in an airport in Ohio using a VPN in New York to use a service hosted in Chicago. Better leave it to the feds.

The political landscape this bill will have to navigate is not exactly a friendly one. Though he has the support of many Democrats in the Senate, he has no House collaborator or Republican co-sponsors, though he said that he has not encountered any “instinctive” opposition to his idea.

Rather, the opposing party is more concerned with the growing power of states like California and Illinois to project on the rest of the country their local, highly progressive views on privacy and regulation. Even though California’s privacy bill technically only affects citizens of that state, companies will build national and international policy around it to avoid getting taken to court by litigious Californian billionaires.

The idea of a federal internet privacy policy that could pre-empt California’s and others’ in case of conflict is attractive to many in D.C., and it’s likely, Schatz said, that his bill would end up as part of a bipartisan package along those lines. Not that he wants to pre-empt California’s rules, but that it may be a reasonable compromise in order to put consumer protection laws in place at a national level.

The bill is co-sponsored by Michael Bennet (D-CO), Tammy Duckworth (D-IL), Amy Klobuchar (D-MN), Patty Murray (D-WA), Cory Booker (D-NJ), Catherine Cortez Masto (D-NV), Martin Heinrich (D-NM), Ed Markey (D-MA), Sherrod Brown (D-OH), Tammy Baldwin (D-WI), Doug Jones (D-AL), Joe Manchin (D-WV) and Dick Durbin (D-IL).

You can read the full text of the bill here.

Data Care Act of 2018 (Text)