“A new law to follow” seems unlikely to have featured on many business wishlists this holiday season, particularly if that law concerned data privacy. Digital privacy management is an area that takes considerable resources to whip into shape, and most SMBs just aren’t equipped for it.
But for 2021, I believe startups in the United States should be demanding that legislators deliver a federal privacy law. Yes, they should demand to be regulated.
For every day that goes by without agreed-upon federal standards for data, these companies lose competitive edge to the rest of the world. Soon there may be no coming back.
For every day that goes by without agreed-upon federal standards for data, these companies lose competitive edge to the rest of the world.
Businesses should not view privacy and trust infrastructure requirements as burdensome. They should view them as keys that can unlock the full power of the data they possess. They should stop thinking about privacy as compliance and begin thinking of it as a harmonization of the customer relationship. The rewards flowing to each party from such harmonization are bountiful. The U.S. federal government is in a unique position to help realize those rewards.
To understand what I mean, cast your eyes to Europe, where it’s become clear that the GDPR was nowhere near the final destination of EU data policy. Indeed it was just the launchpad. Europe’s data regime can frustrate (endless cookie banners anyone?), but it has set an agreed-upon standard of protection for citizens and elevated their trust in internet infrastructure.
For example, a Deloitte survey found that 44% of consumers felt that organizations cared more about their privacy after GDPR came into force. With a baseline standard established — seatbelts in every car — Europe is now squarely focused on raising the speed limit.
EU lawmakers recently unveiled plans for “A Europe fit for the Digital Age.” in the words of Internal Market Commissioner Thierry Breton, it’s a plan to make Europe “the most data-empowered continent in the world.”
Here are some pillars of the plan. While reading, imagine that you are a U.S.-based health tech startup. Imagine the disadvantage you would face against a similar, European-based company, if these initiatives came to fruition:
- A regulatory framework covering data governance, access and reuse between businesses, between businesses and government, and within administrations to create incentives for data sharing.
- A push to make public-sector data more widely available by opening up “high-value datasets” to enable their reuse to foster innovation.
- Support for cloud infrastructure, platforms and systems to support the data reuse goals, with investments in European high-impact projects on European data spaces and trustworthy, energy-efficient cloud infrastructures.
- Sector-specific actions to build European data spaces that focus on specific areas such as industrial manufacturing, the Green New Deal, mobility or health.
There are so many ways governments can help businesses maximize their data leverage in ways that improve society. But the American public currently has no appetite for that. They don’t trust the internet.
They want to see Mark Zuckerberg and Jeff Bezos sweating it out under Senate Committee questioning. Until we trust our leaders to protect basic online rights, widespread data empowerment initiatives will not be politically viable.
In Europe, the equation is totally different. GDPR was the foundation of a European data strategy, not the capstone.
While the EU powers forward, America’s ability to enact federal privacy reform is stymied by two quintessentially American privacy sticking points:
- Can I personally sue a business that violates my privacy rights?
- Can individual states build additional privacy protections on top of a federal law, or will it act as a nationwide “ceiling”?
These are important questions that must be answered as a function of our country’s unique cultural and political history. But currently they’re the roadblocks that stall American industry while the EU, seatbelts secure, begins speeding down the data autobahn.
If you want a visceral example of how this gap is already impacting American businesses, look no further than the fallout of the ECJ’s Schrems II decision in the middle of last summer. Europe’s highest court invalidated a key agreement used to transfer EU data back to the U.S., essentially because there’s no federal law to ensure EU citizens’ data would be protected once it lands in America.
The legal wrangling continues, but the impact of this decision was so considerable that Facebook legitimately threatened to quit operating Europe if the Schrems II ruling was enforced.
While issues generated for smaller businesses don’t grab as many headlines, rest assured that on the front lines of this issue, I’ve seen many SMB’s data operations thrown into total chaos. In other words, the geopolitical battle for a data-driven business edge is already well underway. We are losing.
To sum it up, the United States increasingly finds itself in a position that’s unprecedented since the dawn of the internet era: laggard. American tech companies still innovate at a fantastic rate, but America’s inability to marshal private sector practices to reflect evolving public sentiment threatens to become a yoke around the economy’s neck.
The catastrophic response to the COVID-19 pandemic fell far short of other nations’ efforts. Our handling of data privacy protection costs far less in human terms, but it grows astronomically more expensive in dollar terms with every passing day.
The technology exists to treat users respectfully in a cost-effective manner. The public will is there.
The business will is there. The legislative capability is there.
That’s why I believe America’s startup community should demand federal lawmakers follow the recent example of Europe, India, New Zealand, Brazil, South Africa and Canada. They need to introduce federally guaranteed modern data privacy protections as soon as possible.