“This century hasn't been kind to privacy. The rise of the internet. Smartphones that track our geolocation. A never-ending stream of data about us being gobbled up by thousands of companies. Surveillance everywhere, multiplying exponentially. And recently, rapidly advancing artificial-intelligence technologies that can analyze the massive digital dossiers about us and infer nearly everything about us.
I normally think about what could go wrong, and I've cried out that we're heading toward a dystopia more times than Chicken Little shrieked about the sky falling. Things haven't gone as predicted they actually have been worse.
So I'm quite the unlikely person to write a piece about what could go right with privacy. But there are definitely things that could go well, that might help us move the needle, though it will take a push in the right direction.
The most promising thing is that people really care about privacy. Poll after poll shows it. They're angry about how technology companies are unleashing new technologies recklessly, without accountability. Unless people really care about privacy, there's no way they'll ever get it. So this is a start.
Policymakers also have been busy enacting privacy laws -- and they have done so remarkably quickly. Laws have been passed all around the world. About 40% of the states have passed broad consumer-privacy laws, and many others have passed privacy laws dealing with various issues such as biometric data, health data and children's data.
Unfortunately, most of the laws have taken the wrong approach. They try to give us control over our data, which isn't possible in the digital age, especially with AI. There are too many companies collecting too much data for us to deal with them all. We'll never understand all the risks of sharing our data or agreeing to various privacy notices -- if we even have time to read them at all. We might think that sharing data about innocuous items we buy like soap and soft drinks is safe, but AI can, without our knowledge or consent, figure out our health, religion and politics.
Most laws today are trying to protect privacy by putting the onus on us. It isn't working because digital technologies are too complicated for us to manage. We need a different approach.
Without getting too wonky about the mechanics of privacy laws, the most effective thing they could do is to impose accountability. Whenever a company creates an unreasonable risk of harm through uses of data or through AI algorithms, the company must be held responsible.
Long ago, the makers of food and drugs could do whatever they pleased. A lot of food was tainted and mixed with some awful and toxic ingredients. Milk, for example, would be mixed with formaldehyde to sweeten it when it went rancid. It took the deaths of many babies until finally policymakers woke up and enacted regulation. A similar story occurred with cars. They were very dangerous until the law demanded safety.
Companies are superb at responding to incentives. When the law demanded safe food, it became much safer. When the law demanded safe cars, they became quite safe. I often hear gripes by defenders of tech companies that regulation will stifle innovation. But when the law required greater car safety, companies innovated to create technologies to make cars safer. Seat belts and air bags are innovations just as much as faster engines.
Milk is now relatively safe, as well. We can go into the supermarket and select the brand we like based on taste and price. We don't have to worry about getting sick or dying as people did in the past.
What makes the law work well for cars and milk? There is meaningful review before a product hits the market. Cars must be tested for safety. Farms are inspected. Then there's liability if something goes wrong. If your car is defective and you're injured, you can sue the automaker. If you are poisoned by milk, you can sue the manufacturer. You can hold them accountable.
With privacy, there's hardly any accountability before or after technologies are unleashed. Policymakers are afraid to require any kind of review before digital technologies are launched. Privacy laws rarely allow people to sue for violations of the laws. This is why they don't work well. They don't hold companies accountable.
It is possible to have effective regulation of privacy. One thing that gives me hope is that many laws being passed today contain provisions that just a few years ago were considered unthinkable and far too stringent.
One example is the right to delete, which allows individuals to ask businesses to erase data they have collected on them. Long part of the data-protection law of the EU, right-to-delete was considered un-American and a nonstarter in the U.S. Now, it is in every state consumer-privacy law, and it isn't controversial at all.
Also effective are privacy laws that require rigorous data minimization. These laws restrict data collection and use to the purposes of gathering the data, and they prevent companies from circumventing these limits.
Going forward, I hope that policymakers will take a more-thoughtful approach when legislating privacy. They should avoid the tantrums of industry lobbyists who say that if a law allows for people to sue, innovation will end. There are plenty of privacy laws that allow lawsuits, including several federal ones passed between 1970 and 2000, and they didn't kill technology or put companies out of business.
Policymakers also must avoid reactionary laws that do more harm than good. For example, laws requiring age verification can cause significant privacy problems by forcing companies to identify users and collect more data about them -- including biometric information. Laws that more meaningfully protect privacy -- not just for children but for everyone -- would be far more effective and not involve invasive and dangerous data gathering.
Effective and meaningful privacy protection would include data minimization, as well as restrictions on dark patterns (deceptive and manipulative technological designs that trick users into sharing data they otherwise wouldn't). Other protections might include liability for negligent or reckless technological design, liability for algorithms that cause harm, requiring protections be built into technologies to prevent them from being used to invade privacy, and forcing companies to test and review technologies for privacy and safety based on standards developed from a multi-stakeholder group. These are just a few ideas.
I'm quite heartened to see that the public is having the right reaction to digital technologies. People are afraid and angry. They want protection. Instead of continuing to craft lazy and reactionary half-measures, policymakers must step up and deliver the protections the public wants and needs.
---
Daniel J. Solove is a professor at George Washington University Law School and author of the forthcoming book, "On Privacy and Technology." He can be reached at reports@wsj.com.” [1]
1. USA250: What's Ahead (A Special Report) --- How to Maintain Our Privacy in the AI Age: Today's privacy laws aren't working because they put the onus on us to guard our data. Let's instead hold companies accountable. Solove, Daniel J. Wall Street Journal, Eastern edition; New York, N.Y.. 02 July 2026: R8.
Komentarų nėra:
Rašyti komentarą