TAO Panelists Call for Federal Privacy Policy – Is It Time For a US GDPR?

In recognition of the National Cyber Security Alliance (NCSA) Data Privacy Day held annually on January 28, the Technology Association of Oregon hosted a virtual panel discussion to explore what to expect for data privacy in 2021. After decrying confusing and inconsistent privacy regulations across industries and countries, the panelists welcomed the growing potential for unifying regulations at the federal level.

The panel consisted of notable privacy and security experts from the local region. Leila Javanshir, a certified information privacy professional (CIPP-US) and associate at leading Portland law firm Miller, Nash, Graham, & Dunn, led off the discussion by asking the panelists about the impact of privacy and information security laws. Joining the discussion were Dave Dyk, CISO for Smarsh; Morgan Mann, Vice President and COO for the $3B Security Business Group at Cisco; and Dennis Miller, security architect for Albany, Oregon-based Talent Cyber Security.

Mann started the discussion by stressing the importance of privacy to business success, citing a recent Cisco survey showing that a third of all consumers have stopped buying from one or more businesses because of their data policies or practices.

“Privacy has real implications to us, as business operators and participants. And then you layer on top of that the millions of workers and students who are now engaged in their activities from home remotely,” Mann said. “We’re working in this hyper-connected digital environment that demands privacy and security take center stage. The past is almost irrelevant at this point, because so much change has occurred, particularly in these last 12 months with the accelerating rate in which we go digital.”

Adding to the urgency for a more formalized regulatory framework, Mann argued, has been the tendency for businesses to treat consumer protection as an afterthought, “placing privacy not as a priority, but really as something to overcome.”

Privacy: A Basic Human Right

Miller took the call to action a step further by elevating privacy to a basic human right. “When businesses, governments or criminals mis-use our personal information, they are violating human rights,” he said.

While it’s obvious that privacy regulation could benefit citizens and consumers, the panelists noted there would be considerable benefit to business as well by helping to reduce regulatory complexity.

For instance, Smarsh’s Dyk pointed out that the federal government currently has a program for evaluating vendors for security and privacy, but it’s completely different from what’s required in other industries. “That’s a challenge for any business who’s doing B2B who wants to be in multiple industries,” he said, contrasting this model with the cross-industry “omnibus” privacy rules being employed internationally.

Mann offered that larger companies like Cisco have the resources to deal with a patchwork of regulations, but this situation presents an unfair burden on smaller businesses.

“The issue isn’t regulation itself. The issue is the lack of coherent regulation across 50 states, let alone 190 countries. The complexity and differences lead to significant issues when it comes to the cost and expense of how to how to manage through these waves of regulatory environments,” Mann explained. “That really is what needs to change. The remedy is probably a more effective federally orchestrated regulatory environment, as opposed to leaving it to, again, 50 states to fight among themselves.”

Dated Regulations

Dyk also noted that the regulations that do exist in the U.S. are becoming dated. For instance, the Gramm-Leach-Bliley Act that seeks to protect consumer financial privacy is already 20 years old. From this perspective, privacy is “not a new topic by any means,” he said. “But we’re certainly seeing an acceleration of focus of it,” driven in part by the pandemic and the growing role of digital systems in society.

Where this all leads is unclear. To Talent’s Miller, these factors may point to the need for a regulatory framework similar to the EU’s GDPR. “I think we need something like the GDPR for the United States. It’s really clear, it’s really clean. Individuals can retrieve their personal information and they can choose how they want it to be disseminated. We are overdue for a comprehensive framework for regulation,” he said.

“Of course, there’ll be the naysayers who say we don’t need it and let the industry police itself. But they’re not doing a very good job of it. My stance is that privacy is a human right, and we have to protect it. If we have to resort to some form of regulation, then then we have to accept that and move on,” Miller said.

From a legal momentum perspective, Javanshir and others posited that increased privacy protection could be a real possibility with the Biden administration. She said the environment is “changing quickly” and comprehensive privacy is “becoming much more of a possibility. It’ll be interesting to see where the sticking points are. We see a lot of issues with the private right of action, how expensive we want that to be. There’s going to be a lot more conversation than we expected.”

For consumers, privacy advocates and for business more broadly, these discussions could be a step in the right direction. For the full story, watch the video recording of the panel’s discussion below.