The United States and Canada confronts a crisis. Digital giants invade our private lives, spy on our families, and gather our most intimate facts for profit. Bad actors, foreign and domestic, target the personal data gathered by U.S. firms, including our bank details, email messages and Social Security Numbers.
Our privacy laws are decades out of date. We urgently need a new approach to privacy protection. We must update federal laws and create a data protection agency specifically tasked with safeguarding the privacy of Americans. The time is now.
It’s telling that, at a time when disunity supposedly defines the political landscape, there’s at least one issue the vast majority of Americans and Canadians agree on: the need to bring some balance back to our digital lives. However, in our current state where corporations wield vast power over our own data, politicians and our political systems themselves – there is little chance for meaningful reform to be made.
The Cascadia Bioregional Party supports the protection of digital rights and privacy, including a digital bill of rights, creation of a Cascadian GDPR bill, and the right of every person to control their own data, including the right to be forgotten. Digital technologies do not exist in a vacuum. They can be a powerful tool for advancing human progress and contribute greatly to the promotion and protection of human rights. However, when misused – data-intensive technologies, such as artificial intelligence applications, and business enterprises are increasingly able to track, analyze, predict and even manipulate people’s behavior to an unprecedented degree. These technological developments carry very significant risks for human dignity, autonomy and privacy and the exercise of human rights in general, if applied without effective safeguards. This means we also must have clear, transparent means for tracing financial support and advertising.
A Framework for Privacy and Digital Rights in Cascadia
ENACT BASELINE LEGISLATION
We call for baseline legislation that ensures a basic level of protection for all individuals within Cascadia. We support laws that typically establish a floor and not a ceiling so that states can afford protections they deem appropriate for their citizens and be “laboratories of democracy,” innovating protections to keep up with rapidly changing technology.
ENFORCE FAIR INFORMATION PRACTICES (FIPS)
Baseline legislation should be built on a familiar privacy framework, such as the current baselines, and the GDPR protections established in the European Union. These frameworks create obligations for companies that collect personal data and rights for individuals. Core principles include:
- Transparency about business practices
- Data collection and use limitations
- Data minimization and deletion
- Purpose specification
- Access and correction rights
- Data accuracy
“Personal data” should be broadly defined to include information that identifies, or could identify, a particular person, including aggregate and de-identified data. Federal law should also:
- Establish limits on the collection, use and disclosure of personal data,
- Establish enhanced limits on the collection, use and disclosure of data of children and teens,
- Regulate consumer scoring and other business practices that diminish people’s life chances, and
- Prohibit or prevent manipulative marketing practices.
- Establish baselines for use of algorithms and AI-information collection policies.
ESTABLISH A DATA PROTECTION AGENCY
Many democratic nations have a dedicated data protection agency with independent authority and enforcement capabilities. While the Federal Trade Commission (FTC) helps to safeguard consumers and promote competition, it is not a data protection agency. The FTC lacks rulemaking authority. The agency has failed to enforce the orders it has established. Cascadia needs a federal agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges. The agency should also examine the social, ethical, and economic impacts of high-risk data processing and oversee impact-assessment obligations. Federal law must establish a data protection agency with resources, rulemaking authority and effective enforcement powers.
The Right to be Forgotten
The right for people to have control over their own data, and to be forgotten.
ENSURE ROBUST ENFORCEMENT
Robust enforcement is critical for effective privacy protection. Arbitration clauses do not protect consumers and permit dangerous business practices to continue. If a company violates federal privacy law, consumers must be able to pursue a private right of action that provides meaningful redress without a showing of additional harm. Statutory damages are an essential element of an effective privacy law.
ESTABLISH ALGORITHMIC GOVERNANCE TO ADVANCE FAIR AND JUST DATA PRACTICES
The use of secret algorithms based on individual data permeates our lives. Concerns about the fairness of automated decision-making are mounting as artificial intelligence is used to determine eligibility for jobs, housing, credit, insurance, and other life necessities. Bias and discrimination are often embedded in these systems yet there is no accountability for their impact. All individuals should have the right to know the basis of an automated decision that concerns them. And there must be independent accountability for automated decisions. Protecting algorithms as a trade secret overprotects intellectual property and creates a barrier to due process. Trade agreements should uphold algorithmic transparency. Algorithmic transparency is central to algorithmic accountability.
PROHIBIT “TAKE-IT-OR-LEAVE-IT” TERMS
Individuals cannot have meaningful control of their personal data if the terms of service require them to waive their privacy rights. Furthermore, requiring individuals to pay more or receive lower quality goods or services if they do not waive their privacy rights is unfair and discriminates against those with less means. Law should require that consent, where appropriate, is meaningful, informed, and revocable, and should prohibit “pay-for-privacy provisions” or “take-it-or leave it” terms of service.
PROMOTE PRIVACY INNOVATION
Law should require innovative approaches to privacy and security, including strong encryption, robust techniques for deidentification and anonymization, and privacy enhancing techniques that minimize or eliminate the collection and disclosure of personal data, and make privacy by design an affirmative obligation. The consolidation of personal data with a small group of firms has stifled innovation and competition. Antitrust enforcement agencies should consider privacy interests in merger review. Mergers that fail to protect the privacy of consumers should be rejected.
LIMIT GOVERNMENT ACCESS TO PERSONAL DATA
Personal data held by companies are often sought by government agencies for law enforcement purposes. We do not object to the disclosure of specific records that are required for legitimate criminal investigations and obtained through an appropriate judicial procedure. However, there should be a clear standard in a privacy law for such disclosure.