LR33: How to Handle Data Privacy

We may earn money or products from the companies mentioned in this post.


Liberty Revealed Episode 33 Show Summary

Mike discusses why he believes some Federal regulations will be required in order to protect consumer data and protect the ability of businesses to conduct their business on the internet.

Listen to Liberty Revealed Episode 33

Liberty Revealed Episode 33 Show Notes

Welcome back to another episode of Liberty Revealed, the show dedicated to revealing personal liberty to all who listen. I am your host, Mike Mahony, and today I want to talk to you about data privacy and how I feel it should be dealt with.

Protecting internet data privacy without hindering innovation requires a dose of legislative humility and strong trust in consumer intelligence. Neither is easy for a Libertarian to swallow.

The recent data breaches at Google and Facebook have amplified the debate around data privacy and the laws governing the same. Commentators seem to feel the US regulatory approach to all of this is akin to the Wild Wild West. They act as though no regulation exists.

Some are calling for the adoption of heavy-handed, European-style controls such as the General Data Protection Regulation (GDPR), which imposes 45 specific rules on data-driven enterprises. They have applauded new data regulation rules in California, which grants sweeping power to the state’s attorney general to collect fees, impose rules, approve business plans, and solicit public support for class actions against internet companies. It is reasonable to be skeptical of the notion that increasing government power is the key to protecting privacy, but without federal preemption, the nation could balkanize with 50 sets of online privacy rules, undermining the seamless digital experience consumers enjoy today as well as the internet economy which powers some 10 percent of national gross domestic product.

I, for one, feel the regulatory approach to data privacy and protection of the internet is just flat out wrong.

One reason people believe the US has an inferior, laissez-faire approach to internet regulation is that they confuse data privacy and protection and because they are not familiar with America’s own substantive privacy protections developed since its founding. In fact, there are literally hundreds of laws on privacy and data protection in the U.S.—including common law torts, criminal laws, evidentiary privileges, federal statutes, and state laws. America’s tradition of protecting privacy is predicated on ensuring the individual’s freedom from government intrusion and pushing back the overreach of the administrative state. By way of comparison, the EU’s laws are relatively new, officially dating from this century, and still lack the runway of judicial scrutiny and case law that characterizes U.S. law.

This experience from Europe gives us a glimpse of what to expect should we adopt a similarly heavy-handed regulatory approach in the USA. Simply put, the EU’s laws don’t work to create trust in the online ecosystem. After a decade of data protection regulation—in which Europeans have endured intrusive pop-ups and disclosures on every digital property they visit—Europeans report no greater sense of trust online. As of 2017, only 22 percent of Europeans shop outside their own country (a paltry increase of 10% in a decade). Moreover, only 20 percent of EU companies are highly digitized. Small to medium-sized European companies have neither modernized their operations nor marketed to other EU countries because data protection compliance costs are too high.

To do business in the EU and comply with the new rules, US firms with 500 employees or more will likely have to spend between $1 and $10 million each to comply with GDPR. With over 19,000 firms of 500 employees or more in the US, total GDPR compliance costs for U.S. firms alone could reach $150 billion, twice what the U.S. spends on network investment and one-third of annual e-commerce revenue in the U.S. Not surprisingly, thousands of online entities, both in the EU and abroad, have proactively shuttered their European operations for fear of getting caught in the regulatory crosshairs.

Moreover, there is a business model behind data protection regulation. Not only will Europe have to hire some 75,000 new data protection professionals as regulatory compliance officers, but regulatory authorities are also doubling their staff and budgets to take on the increased workload of managing compliance and complaints. Just seven hours after the GDPR came into effect in May 2018, Austrian activist Max Schrems lodged complaints against Google and Facebook, demanding $8.8 billion in damages because their services are so popular that they effectively “force” people to use them.

Politics continues to play a huge role in data privacy and protection.

A decentralized, limited government approach has been empirically shown to better protect data privacy, but regulatory advocates are too powerful, organized, and determined to let well enough alone. They consider themselves the self-appointed protectors of all Americans, who they deem unwitting digital serfs, forced to engage in transactions against their will and too stupid to learn how to be safe online.  While freethinkers value sovereignty and choice, they are diffuse and difficult to galvanize. The sweeping regulations adopted in California and the European Union were enabled by a small yet vocal group of activists.

While the media emphasizes the partisan chaos in Washington, there is a bona fide, fact-based, bipartisan effort within Congress to create a rational policy for consumer online privacy. The Senate Commerce Committee has hosted a series of hearings to gather input from a variety of stakeholders.  In addition, the Trump Administration has tasked key agencies with developing scientific and policy principles that ensure standards and guarantee freedom of choice for individuals while also giving organizations legal clarity and the flexibility to innovate. It may seem counterintuitive that we need more privacy legislation, but in this case, the outcome will be worse for freedom if Congress does not clarify a single national policy.

I personally prefer a market-based approach to data privacy and protection. To me, the required trust in consumer intelligence is difficult, but necessary if we are to both protect our privacy and data and protect our freedom.

The elements of a market-based approach includes a consistent national policy that promotes technological innovation, consumer education, and freedom of choice for consumers.

Privacy-enhancing technologies. Continuous technological improvement of online systems will always be better than regulatory regimes that rely on bureaucrats to decide how data should be processed and which abuses to adjudicate. Scientific research demonstrates that privacy-enhancing innovation (a field including dozens of technologies such as encryption, data minimization, anonymization, attribute-based access controls, etc) makes the online experience safer and more private than a bureaucratic approach can. Moreover, soft law instruments such as multi-stakeholder processes, scientific best practices and standards, and codes of conduct can address emerging data protection challenges without resorting to heavy-handed rules. Policymakers should consider the role of incentives for design and experimentation with privacy-enhancing technologies (PETs). These can include grants, awards, and competitions. Importantly, a national policy would include a legal safe harbor for innovators so that they can experiment without punishment and so that enterprises can be confident that they are complying with the law.

Consumer education. Informed consumers who have the freedom to choose among a robust array of goods and services are the bedrock of a free-market economy. This assumes a marketplace in which there is sufficient information, ease of market entry and exit, and minimal regulatory distortion. Scientific research concludes that the consumer’s level of knowledge about the online experience is crucial when it comes to creating trust online. Notice and consent are meaningless to consumers if they don’t understand the nature of the transactions in which they engage, how online platforms work, and the associated costs, benefits, and alternatives. (See p. 13 of this filing to the Federal Trade Commission for the history of consumer education and models of online privacy education.) Individuals need to take the responsibility to educate themselves about the online services they use and policy-makers must ensure that there are transparent ways for consumers to get access to that information. Moreover, educated consumers are a powerful check on unelected, unaccountable bureaucrats, limiting the need for regulation in the first place.

Choice. Individuals must have freedom of choice over whether to share their data in exchange for a service as well as the ability to say no to terms and conditions which make them feel uncomfortable. When a consumer says no and declines the service, this sends an important message to providers to improve their products and services. A key problem of the California and European rules is that they obligate providers to deliver services even if users object to sharing their data. This perversion creates a free-rider problem, which increases the amount of processing that must be performed on consenting users so that the service provider can cover its costs. Moreover, it removes the essential feedback that providers need from users so that they can improve their services.

Flexibility. A recent Senate hearing featured the architect of the California Consumer Privacy Act, Alastair MacTaggart, who took offense that his local Supercuts hair cuttery requested his email and phone upon checking in for an appointment. MacTaggart called it “out of control” and intimated that this practice should be eliminated for all Supercuts customers. (He also spent nearly $3.5 million of his own fortune from a successful real estate business, which, ironically, relies on the same kind of data processing he now wants to eliminate.) This kind of elitism fails to see how many people appreciate SMS reminders for their salon appointments and want to receive email offers of coupons for hair care products, discounts, and so on. 

The situation is a reminder of the need for regulatory flexibility. Consumers who do not want to participate in such programs should not have to, but those who want to should be allowed. Regulatory advocates don’t like the idea that a customer loyalty program has such requirements. They don’t want enterprises to have the flexibility to reward loyal customers. Again, this creates a free-rider problem. If enterprises are obliged to make offers available without any minimum requirements, the provider’s incentive for offering the promotional program is thus removed, and the provider pulls the offer. This leads to overall price increases while reducing welfare for the set of customers who wanted the offer in the first place. In any case, there are technical workarounds that can secure privacy without eliminating enterprises, such as anonymizing email addresses and phone numbers. (See p. 11 of the filing for the discussion on anonymization).

Consistency. America’s 50 states are a single market, which is a boon to America’s digital economy. An app posted in Maine can serve a user from Hawaii. However, California’s new privacy law disrupts this seamlessness, inhibiting commerce both inside and the state. Other states (NY, NJ, MD, MA, RI, IL, and CT) are threatening to make their own rules. We need a single federal privacy standard enforced by a single Federal regulator – ideally the Federal Trade Commission.  The FTC can enforce the standard and deliver enforcement with the cooperation of state attorneys general.

The cycle of privacy panic, the manufactured fear that accompanies new technologies, has been a well-documented phenomenon for more than a century. When first introduced, photography was maligned for violating one’s privacy. As people experience new technology, they grow more comfortable with it, ultimately adopting it in a way that demonstrably improves their lives. When asked what has brought the biggest improvement to their lives in the past 50 years, Americans name technology more than any other advancement, notes Pew Research in a 2016 survey.

Today’s debate about the data-driven economy is no different. Market-based solutions can address data privacy concerns without surrendering the internet to government control. If anything, this legislative moment is about reaffirming America’s history of data protection and privacy. We need federal law to stop state-level overreach so that the freedom of individuals and enterprises can flourish.

Tell me your thoughts on this by leaving a voicemail on the Yogi’s Podcast Network hotline at (657) 529-2218.

That’s it for this episode of Liberty Revealed. .If you like what you’ve heard, please rate us 5 stars on Apple Podcasts and Google Play. If you’d like to learn more about personal liberty, grab your free copy of my book “Liberty Revealed” by heading over to Until next time…stay free!

Links Mentioned in Episode 33

What is personal liberty?

Catch Yogi\'s Podcast Network on YouTube

Yogi\'s Podcast Network YouTube Channel