A year ago, the idea of a federal data privacy law in the U.S. was unthinkable for all but a handful of digital rights activists. As 2018 comes to a close, the prospect of such legislation has suddenly become very real.
In July, the White House said it was looking forward to working with Congress on “a consumer privacy protection policy that is the appropriate balance between privacy and prosperity.” And recent months have seen a deluge of data protection bills, mostly from Democrats.
Remarkably, Silicon Valley seems to be on board. In September, Apple and Google urged lawmakers to create new federal privacy legislation. A month later, Apple CEO Tim Cook demanded new rights for American consumers. “It’s time to face facts,” he said. “We will never achieve technology’s full potential without the full faith and confidence of the people who use it.”
So what brought all this on? That story begins with the European Union’s tough new privacy law, the General Data Protection Regulation, which, by the time it was signed in 2016, was arguably the most heavily lobbied piece of legislation in the EU’s history. The GDPR serves two main purposes: to harmonize data privacy law across the EU and to make sure the fundamental privacy rights of Europeans can be upheld in the context of the age of “big data.”
Big Tech was keen on the first part—most businesses will take uniform regulations over a patchwork of rules—but wary of the second. Much of the Internet is funded by the exploitation of personal data for targeted advertising; tech-industry lobbyists were warning of terrible new burdens on companies and new costs for consumers all the way up to May 25, when the GDPR went into effect.
So has the GDPR been as calamitous as feared? “It hasn’t been the end of the world,” says Eduardo Ustaran, codirector of the privacy practice at law firm Hogan Lovells. “The most important thing at the moment is that the GDPR is like a baby. It is still being understood, interpreted, and explored.”
There have been mostly minor enforcement actions under the new regulation. Facebook, Google, and Twitter are under investigation for alleged infractions, but multibillion-dollar fines have yet to be levied.
The GDPR, however, has already forced the Bay Area’s biggest firms to make it easier for consumers to retrieve their data and have it amended or deleted, and to ensure that data isn’t being collected and shared without consent. Once these changes have been made, the idea of having the same rules apply elsewhere becomes less outrageous.
“The GDPR is setting a global standard, and U.S. companies will need to comply,” says Marc Rotenberg, president of the Electronic Privacy Information Center, a Washington, D.C., advocacy group. “Big U.S. firms are already required to comply with the GDPR for European markets, so it makes sense to extend a similar approach to the U.S.”
The need for such rules was starkly apparent to consumers and lawmakers around the world when the GDPR took effect. Mere months before, whistleblower Christopher Wylie had exposed how the political research outfit Cambridge Analytica had gotten its hands on the personal data of tens of millions of Facebook users without their consent.
“In the wake of ongoing scandals involving Americans’ digital privacy, there is a growing sentiment among Americans that our federal laws need to reflect that we have fully entered the era of big data,” says Rep. Hank Johnson (D-Ga.), who proposed two data protection bills following the Cambridge Analytica uproar.
Then came a new bombshell: the California Consumer Privacy Act of 2018. Like the GDPR, the bill, signed into law in June, gave people the right to know what data businesses hold on them, where it comes from, and where it’s going. Starting in 2020, Californians will be able to demand the deletion of their data and to opt out of the sale of their data to third parties.
Suddenly, tech firms were facing the prospect of disparate data privacy rules across different states. And that’s when their calls for a comprehensive federal law began to coalesce.
INVASION OF PRIVACY: A new crisis by the numbers.
|Americans who are concerned about surveillance||Internet users who have tried to cover their digital tracks||Those who say they should control what info is collected about them||Those who feel they have “a lot” of control|
So what might a U.S. law look like? It wouldn’t simply copy the GDPR, says Ustaran. “Privacy and data protection are fundamental rights from the EU perspective but not in the U.S.,” he says. “That is a major philosophical difference between the two jurisdictions, and that will be reflected in the law.”
Rotenberg says any legislation should establish a new agency to coordinate enforcement and report on the current state of affairs and emerging threats to people’s privacy. “The U.S. needs to improve its understanding of this critical issue,” he says.
One thing is for sure: Big Tech will want to have its say. “I fully expect that Congress would seek input from Silicon Valley in creation of new regulations to create transparency and control for consumers over their personal data online,” says Johnson.
Prepare for a new privacy lobbying battle.
A version of this article appears in the December 1, 2018 issue of Fortune with the headline “In Privacy We Trust.”