Should we hold companies like Equifax and Facebook responsible for the protection of our personal information in the same way we hold banks and hospitals responsible? Should we expect the same level of control over data we’ve given to Google as we do with information shared with our doctor or lawyer?
A new bill introduced by Senate Democrats on Wednesday says the answer is “Yes,” that some online companies should bear a comparable level of responsibility for the control and protection of Americans’ private data. Because ultimately, the argument goes, Mark Zuckerberg should have a similar level of responsibility to protect your data as your doctor does.
While the legislation is new, this idea is not. Some legal experts have long argued that companies that handle large amounts of data should have a legal obligation to act responsibly. They call such companies information fiduciaries.
Senator Brian Schatz, the bill’s principal author, says he’s going with something a bit less snooze-inducing and complicated: “data care.” (The term “data care” is used in lieu of “information fiduciaries,” he explained, because the latter provokes too many extraneous legal connotations.)
Jack Balkin, a professor of constitutional law at Yale, wrote on this topic in 2016 about how the law requires doctors and lawyers—traditional fiduciaries—to act in good faith, and “on pain of loss of their license to practice,” specifically because our interactions with them are unavoidable. We depend on them and in some cases have no say in the matter. The confidentiality of some information, he then says, is not conditional based on its content alone, but may be private by default because of a special social relationship.
In an article about information fiduciaries for the Atlantic, Balkin and Harvard legal professor Jonathan Zittrain wrote, while referring to Facebook, Google, and Uber by name:
Like older fiduciaries, these businesses have become virtually indispensable. Like older fiduciaries, these companies collect a lot of personal information that could be used to our detriment. And like older fiduciaries, these businesses enjoy a much greater ability to monitor our activities than we have to monitor theirs. As a result, many people who need these services often shrug their shoulders and decide to trust them. But the important question is whether these businesses, like older fiduciaries, have legal obligations to be trustworthy. The answer is that they should.
Introduced as the Data Care Act, Schatz’s bill would have the Federal Trade Commission draft new rules for pursuing fines against companies that misuse private data. Companies hoarding and trafficking in private data should be held to fiduciary-like standards, he said, including legal duties to be loyal to consumers and maintain their confidentiality—the latter of which, he said, is essential for companies in their interactions with third parties.
“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” Schatz said in a statement. “Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”
The FTC is liked for this job, he said, because he admires the agency’s functionality and its ability to remain nonpartisan; that and because it’s run by “hard-nosed regulators who know what they’re doing and have not become a political lightning rod.” Given the nature of technology, a federal agency should lead the way, he said, particularly in regard to the complex jurisdictional issues that arise from internet geography (e.g., the physical location of internet servers versus the location of users). Schatz argued that the onus should be on Congress and not the FTC, however, to determine what kinds of businesses this bill will ultimately apply to; many brick-and-mortar shops, he noted, also collect and use consumer information, while not engaged in the kind of data brokering practices typical of companies like Facebook.
Schatz also said he views his bill, currently co-sponsored by 14 other Democrats, as complementary and not necessarily a replacement for other bills introduced by his colleagues aimed at holding internet companies accountable for their handling of user data. Sen. Ron Wyden of Oregon, for example, recently circulated a draft bill of his own, which also relies heavily on the FTC and would impose stiff fines and potentially even jail-time in cases of serious corporate malfeasance.
“I think we’re in a relatively strong bargaining position,” Schatz told reporters. Internet companies, he said, “need something to happen federally,” otherwise state privacy laws, which he said certain tech companies “fear very much,” will begin to pop up everywhere, as happened with California’s sweeping consumer privacy law, which passed earlier this year.
In addition to Schatz, the Data Care Act is co-sponsored by Democratic Senators Maggie Hassan, Michael Bennet, Tammy Duckworth, Amy Klobuchar, Patty Murray, Cory Booker, Catherine Cortez Masto, Martin Heinrich, Ed Markey, Sherrod Brown, Tammy Baldwin, Doug Jones, Joe Manchin, and Dick Durbin.
“Online platforms are collecting an enormous amount of personal data on Americans–everything from what we buy and what websites we go to, to what our emails say and where we go throughout the day,” Senator Klobuchar said in a statement. While not naming names, she said companies are making billions off our data while “keeping Americans in the dark about how it is being used.”
“The Data Care Act will help by establishing a duty of care for sensitive data and by ensuring the FTC can hold companies accountable when they fall short,” she said. “The digital space can’t keep operating like the Wild West at the expense of our privacy.”
Senator Markey added: “In today’s digital economy, personal data is everywhere, and those who have access to Americans’ sensitive information have a responsibility to protect that information and keep it private. It is time for Congress to enact comprehensive privacy legislation, and the Data Care Act would be an important part of that effort.”