GDPR USA: Why tech industry now lobbying against consumer privacy

GDPR USA: Why tech industry now lobbying against consumer privacy

OPINION Chris Middleton explains why the IT industry’s attempts to curry favour with the White House in order to water down data privacy rules may create more problems than it solves. And at the centre of the storm stand AI, machine learning, and the IoT.

Internet of Business says

When California passed new data privacy laws in June, the impression was that the technology industry had divided itself into two camps: companies such as Microsoft, Apple, Salesforce, Box, and SugarCRM appeared to favour GDPR-style regulation within the US, while others, such as Google and Facebook, saw the new rules as a threat to their advertising-based businesses.

Indeed, when GDPR came into force in May, Apple, Microsoft, and others, openly supported Europe’s new laws, saying they intended to adopt them globally in order to protect citizens’ “fundamental right” to privacy, in Microsoft’s words.

However, recent developments have suggested that the truth is rather more complex and murky: in the background, the technology industry has been lobbying the US government for weaker national data privacy laws that it can draft itself, in order to spike the Californian regulations and prevent them from becoming a de facto national standard.

The moves have seen companies from both camps, including Microsoft, Google, IBM, and Facebook, lobby the White House to begin outlining new federal rules before the Californian regulations come into force in 2020. The aim is to outline a national alternative by the end of this year.

The California Consumer Privacy Act of 2018 (CCPA) was passed unanimously on 28 June, after the legislation was rushed through the state senate and assembly to prevent even tougher rules, backed by the signatures of more than 600,000 citizens, from being put before government. 

Facebook, Google, Comcast, AT&T, and Verizon were among those petitioning against the act.

What’s the significance?

As reported by Internet of Business in June, CCPA could bring sweeping changes to how technology companies both gather and monetise their customers’ data in the state.

While the rules will only apply to California citizens, their adoption is significant for three reasons. First, in 2017, California became the world’s fifth largest economy with a GDP of $2.47 trillion, overtaking the UK, according to federal data released in May.

Second, California is home to Silicon Valley and much of the US technology industry. Apple, Alphabet/Google, Intel, Facebook, Oracle, Salesforce.com, Cisco, Uber, and NVIDIA are among the hundreds of tech companies headquartered in the state, while many more have presences in Silicon Valley.

California has a history of being in the vanguard of privacy legislation. In 1972, voters amended the state’s constitution to include the legal and enforceable right to privacy as being among the “inalienable” rights of all citizens. However, that right has been encroached on by the digital economy – led by companies in the state.

That Californians strongly backed strict data privacy laws sent a powerful message to the industry that was sitting on their doorstep and peering through their keyholes – in the wake of the Facebook/Cambridge Analytica scandal, and other corporate abuses or losses of customer data.

And third, the cost, complexity, and difficulty of maintaining a different set of privacy rules for California would make it impractical not to adopt the regulations nationally – or globally – especially if other states follow suit.

In short, CCPA could create a de facto US standard on transparency in third-party data sharing, as well as on consumers’ rights to restrict that sharing.

That’s what the industry has been quietly lobbying to prevent.

While tech companies recognise that the data free-for-all that has existed for a quarter century was dealt a fatal blow by Facebook/Cambridge Analytica, they intend to be fully in control of what happens next.

Breach of faith

Given that both CCPA and GDPR were drafted to protect citizens from the data-gathering practices of large technology platforms – giving them the right to withdraw consent for their data’s exploitation – moves to counter the rules are a clear breach of faith by the technology industry.

That breach takes the form of a slow stepping away from privacy action backed by US citizens, and towards writing rules that protect tech companies’ own interests at national level. This would also have the effect of setting the US against Europe’s more stringent data privacy regime, reigniting the conflagration that brought about GDPR in the first place.

“It’s clear that the strategy here is to neuter California for something much weaker on the federal level,” said Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, according to a report in The Times. “The companies are afraid of California because it sets the bar for other states.”

The AI and IoT angle

So what is the technology industry so afraid of – while paying lip service to citizens’ privacy interests?

For companies such as Microsoft and Amazon, which are less of a hostage to advertising fortunes than Google or Facebook, the answer lies in AI and machine learning, together with the IoT, connected transport, smart cities, and analytics: technologies that all rely on access to vast pools of data.

In November 2017, lawyers acting on behalf of the citizens of California wrote to the Attorney General, outlining proposals for a new consumer privacy act that would limit companies’ access to that data.

Their proposed law entailed adding 15 clauses to the state’s Civil Code. The most significant ones for data-collecting organisations such as Facebook, Amazon, Google, and others, were:

  • The right to know what personal information is being collected
  • The right to know if personal information is sold or disclosed, and to whom
  • The right to say no to the sale of that personal information
  • The right to equal service and price (i.e. not to be discriminated against, based on that personal data).

More, the draft legislation’s definition of personal information was extremely broad, and included:

  • Identifiers such as name, address, IP address, email address, account name, social security number, passport number, and driving licence
  • Property records
  • Biometric data
  • Browsing history, interaction with advertisements, apps, or websites
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information, including facial recognition
  • Psychometric data
  • Employment history
  • Inferences drawn from any of the information identified above
  • All of the above as applied to any minor children of the data subject.

In short, a shopping list of data types that are rich fuel for AI systems and connected technologies, as well as for the advertising industry operating in that world. After all, a permissioned smart city would be a legislative minefield.

However, the act that was passed in June was an amended version of the November draft, watering down some of the proposals. Most significantly, it included an exception to the right to equal service, allowing companies to offer different levels of service depending on how customers interact with a site, app, or advertisement – the so-called ‘Spotify exception’.

Be careful what you wish for

What the IT industry now wants is to strike a national balance “between privacy and prosperity”, in the words of White House deputy press secretary, Lindsay Walters.

But this is despite evidence from recent reports that protecting citizens’ privacy spurs customer loyalty and increases business, rather than damages it.

Collectively, the industry sees an opportunity in President Trump, a leader who favours business freedom and lax regulation, and who would be keen to strike down Californian law, in effect, with national rules that hand much of the power back to private companies.

But the industry should be careful what it wishes for, as the technology, communications, and media landscape becomes heavily politicised during the ongoing Russia investigations and the trade war with China. This president is no fan of many of the companies concerned – as events this week have proved.

On 28 August, Google CEO Sundar Pichai announced that he was refusing to appear at a Senate Intelligence Committee hearing next week on Russian manipulation of social media and election campaigns. Twitter CEO Jack Dorsey and Facebook COO Sheryl Sandberg will both be present.

Pichai’s refusal has drawn criticism from both sides of the political divide, and follows allegations by President Trump earlier this week that Google and others in the technology sector, such as Facebook and Twitter, are biased against conservative causes and have rigged search results and social feeds to only show negative coverage. As the world knows, this is a leader who regards the media as a mirror, and not as the fourth estate.

In a tweet, the President wrote, “Google & others are suppressing voices of Conservatives and hiding information and news that is good. They are controlling what we can & cannot see. This is a very serious situation-will be addressed!”

Trump added that tech companies “better be careful”, suggesting that he is prepared to take regulatory action against the industry.

Google responded: “Search is not used to set a political agenda and we don’t bias our results toward any political ideology. Every year, we issue hundreds of improvements to our algorithms to ensure they surface high-quality content in response to users’ queries. We continually work to improve Google Search and we never rank search results to manipulate political sentiment.”

The risks, therefore, are clear – and Pichai is aware of them.

By lobbying the White House to draw up regulations that favour the tech community’s lobbyists against citizens’ desire for privacy controls, the industry is playing a dangerous game, both politically and in terms of its own customer relations.

The president may either side with California in a punitive move against the likes of Google – which seems unlikely – or, more worryingly for the industry, see an opportunity to bundle up federal privacy regulations with rules that force the industry to come to heel politically.

In short, the industry may regret seeing this administration as an ally against California’s regulators, and would be better advised to back the interests of citizens – as Microsoft, Apple, and others, publicly stated they were doing in the first place.

In a socially connected world, lobbying the White House to counter rules designed to protect their own customers seems like the grandest of follies – especially as this administration will only see an opportunity to exert greater control to further its own political ends.

On 30 August – 24 hours after Internet of Business published this report – Republican senator Orrin Hatch asked the Federal Trade Commission (FTC) to investigate Google for antitrust practices. Meanwhile, Reuters reports that Trump’s economic adviser, Larry Kudlow, said the White House was “taking a look” at Google, saying the administration would do “some investigation and some analysis”. On the same day, the California Assembly voted to enshrine net neutrality in state law, in another effort by California’s lawmakers to counter President Trump’s policies.

Chris Middleton
Chris Middleton is former editor of Internet of Business, and now a key contributor to the title. He specialises in robotics, AI, the IoT, blockchain, and technology strategy. He is also former editor of Computing, Computer Business Review, and Professional Outsourcing, among others, and is a contributing editor to Diginomica, Computing, and Hack & Craft News. Over the years, he has also written for Computer Weekly, The Guardian, The Times, PC World, I-CIO, V3, The Inquirer, and Blockchain News, among many others. He is an acknowledged robotics expert who has appeared on BBC TV and radio, ITN, and Talk Radio, and is probably the only tech journalist in the UK to own a number of humanoid robots, which he hires out to events, exhibitions, universities, and schools. Chris has also chaired conferences on robotics, AI, IoT investment, digital marketing, blockchain, and space technologies, and has spoken at numerous other events.