In the third article in a four-part series, Connor Haaland, a Harvard Law School student and a 2020 JURIST Digital Scholar, argues that the United States must keep up with China and Europe and develop its own data governance policies...
In September, China launched an initiative to set the standards of global data-security rules. This is on top of other efforts that China has taken to launch a data governance regime. This, for America, should be the spark that ignites the conversation around American data governance policies. Data is, after all, as many quip “the new oil,” pointedly hinting at its importance to the future of artificial intelligence (AI) and other digital technologies. But do not take it from me – Chief Technology Officer of the United States, Michal Kratsios – voiced his own warning in January of this year. He “absolutely” agreed, that if we do not get the regulations right, if we fall behind in AI, then the technology will be created with values antithetical to those of the United States. He went on to note, “American leadership … on technology is important.” So, where does the United States stand with its efforts to create some sort of framework for data governance? And, more importantly, where are we heading?
American data governance is best characterized as a series of regulatory islands within a sea of freedom to do, well, whatever one wants. While both Europe and China have staked out broad policies on this front, the United States has opted to carve out specific areas and regulate those while leaving the overwhelming majority free of regulation. Take for instance the Health Insurance Portability and Accountability Act, popularly known as HIPPA, or the Family Educational Rights and Privacy Act, FERPA. These Acts ensure a heightened level of privacy for specific types of data. Indeed, many of the rights within HIPPA echo the rights bestowed upon all Europeans and Chinese in their data privacy regimes. For instance, HIPPA provides Americans the opportunity to “change any wrong information in your file or add information to your file if you think something is missing or incomplete.” This is almost identical to Article 16 of the GDPR – The Right to Rectification – which provides all those citizens under European Union (EU) jurisdiction the right to obtain the rectification of inaccurate personal data concerning themselves. Like HIPPA, this applies to medical records, but can also apply to almost any facet of one’s data profile. The EU defines “personal data” as “a name, identification number, location data, online identifier, or one or more factors relation to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.” China has a similar provision in its Cyber Security Law, which provides a right to erasure.
The United States, thus, stands in stark contrast to both Europe and China when we compare their respective data governance policies. The next consideration, though, should not be “how will the United States catch up to China and Europe?”, but rather should be a consideration of whether the European and Chinese models are even worth emulating in the first place.
Thanks to the American system of federalism, an insightful case study regarding data governance is already underway in the United States in the state of California, which recently enacted the California Consumer Privacy Act (CCPA). The CCPA is an expansive, GDPR-esque data privacy law that regulates the data of Californians, the first comprehensive consumer privacy law passed in the United States.
Although the impacts of enforcing the CCPA are yet to be seen since enforcement measures only started in July of 2020, many possible impacts have been noted and elaborated upon by industry and academia alike. What we do know, however, is that the CCPA begins what may end up becoming a patchwork of data privacy laws across the United States. This uncertain regulatory environment will cost companies who work in the industries impacted by the CCPA large amounts in compliance costs, up to $55 billion by some estimates, and it is as yet unclear if the CCPA will tangibly increase consumer welfare. However, these costs have also had the impact of actually extending the rights of the CCPA to the entire country as companies like Netflix, Microsoft and Starbucks have opted to comply with the California law rather than create two separate compliance departments. But, these companies may nevertheless be forced to multiply their compliance departments as states around the country begin to consider their own privacy bills, such as a bill proposed in Washington – The Washington Privacy Act. Ultimately, there will have to be a federal bill on the issue so that the varying state-based schemes can be clarified. Indeed, scholars have already noted that CCPA-like data policies could violate the dormant commerce clause. due to the system changes it will impose on out-of-state creators, companies, and platforms. This further necessitates the need for federal intervention in this policy space.
Given the intimate link between data and innovation, a federal data policy law could be the most important law of the 21st century. It has the power to disrupt entire industries, to allow more unfettered freedom, or to find some stable middle ground. The history of American technology policy, in this respect, may offer clues as to what may be coming down the pike. Historically, the United States has been committed to a relatively hands-off approach to regulating technology, regardless of party or president. Indeed, former President Obama noted that “the way I’ve been thinking about the regulatory structure as AI emerges is that, early in a technology, a thousand flowers should bloom. And the government should add a relatively light touch…” while the Trump Administration – via Chief Technology Officer Michael Kratsios – said, “We recognize that we don’t need to impose preemptive, overly-burdensome, and innovation-killing regulations to stay true to our values.” These two approaches, at least facially, appear to display a very consistent ethos with respect to the regulation of AI and its derivative policy areas, like data policy. Stay relatively hands-off and let innovators innovate.
Nevertheless, there is a reason that the CCPA and its progeny are multiplying – it is an attractive idea. Indeed, in a poll of 777 Californian voters, 88 percent believed in strengthening even further the protections of the CCPA and 81 percent believed that a federal data privacy bill should be just as strong or stronger. While California is politically unrepresentative of the rest of the country, its early popularity may send a signal to federal legislators to get on board with the idea of such policies.
When it comes to massive changes in American data policy, it is a question of when rather than a question of if. The world is charging ahead, and it is high time that the United States begins to formulate its own array of policies. These may consist of a relatively hands-off approach, like the one voiced by both the Obama and Trump administrations, or it may exemplify a much more privacy-centric ideal, akin to the GDPR and the CCPA. In any case, the urgency of creating a coherent and predictable regulatory data governance strategy cannot be underemphasized. If America does not begin to forge ahead on its own policies, it will end up simply following in the wake of China and Europe. This is a concession that America should not be willing to make in such a key area of policy.
This is the third article in a four-part series exploring comparative data governance regimes. Check out the first and second articles on China’s and Europe’s regimes.
Connor Haaland is a 2020 JURIST Digital Scholar. He graduated from South Dakota State University in 2019, earning degrees in Spanish and Global Studies with minors in Economics and French. Most recently, Connor was a research assistant at The Mercatus Center, where his primary research focused on the intersection of law and emerging technology. He will attend Harvard Law School this fall.
Suggested citation: Connor Haaland, China and Europe Govern Their Data. Why Doesn’t the United States? – Student Commentary, September 30, 2020, https://www.jurist.org/commentary/2020/09/connor-haaland-us-data-governance/ .
This article was prepared for publication by Megan McKee, JURIST’s Executive Director. Please direct any questions or comments to her at email@example.com
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.