Access Now created a guide for lawmakers on creating rights-respecting data protection regulations, based on our experiences working with lawmakers in Europe on the GDPR. Building on our work in Brussels and globally, we have created a list of items that should be included in a truly comprehensive, federal approach to data protection. These are the elements necessary to fully protect people, in the U.S. and elsewhere, in our increasingly connected world.
First, a comprehensive set of data protection laws should apply equally to any entity that collects, uses, or manipulates information about people, whether public or private. It should not preempt or prevent the creation of any stronger protections that are already written into federal law or exist at the state level. It should also be forward looking, contemplating the wealth of information that will be available through the Internet of Things. And it should support the growth of business models that are not built on the collection and exploitation of massive amounts of sensitive data.
The law should provide the following set of rights:
- Right of access
- Right to erasure
- Right to rectification
- Right to explanation
- Right to portability
- Right to object
Ideally, it should create and fund:
Government programs and investments
- Creation of a grant program for companies investing in privacy-protective business models and practices, including any model not based around user data;
- Commitment to the protection of digital security, including encryption, and investment in research and development to explore best methods for protecting user data;
- Creation of a board to develop security best practices for Internet of Things devices (Representative Lieu and other members of Congress have already introduced a bill that would take this approach);
- Investment in companies that explore and develop systems for greater interoperability of edge providers;
- Research into the harms of data breaches of non-financial personal data and potential redress mechanisms to respond to those harms; and
- Establishment of an independent data protection commission with authority and resources to monitor implementation, conduct investigations, and sanction entities in case of data protection violations.
It should require:
Obligations on all entities processing data
- Limitation of data processing to specific, enumerated purposes, including meaningful, opt-in consent, execution of a contract, or as necessary under law, and with heightened protections for the most sensitive data;
- Affirmative obligation to issue timely notification to users when, and to whom, data are transferred, eliminating the shadow internet industries built around user data by creating a connection back to the person;
- A blanket public data breach notification for all breaches, with individualized noticed necessary in the case of potential harm, including emotional harm;
- Prohibition on the use of algorithms to arbitrarily discriminate, including against marginalized communities and communities of color; and
- Further prohibition on mandatory arbitration clauses for users.