The American General Data Protection Regulations (AGDPR)

AGDPR doesn’t exist, but it should.

In 2012 the Europeans released the first proposal for their General Data Protection Regulations (GDPR), which ran a four-year political gauntlet and evolved into its final, official version in 2016. Because of the ghastly surveillance situation we now find ourselves in America and elsewhere, perpetrated by both private industry and government, I think America also desperately needs comprehensive privacy rules, rules informed by now eight years of hindsight and infused with an American value not found in Europe’s GDPR: privacy from government.

If I could wave a magic wand, an American GDPR would improve on Europe’s GDPR in two fundamental ways:

1. Eliminate the idea that data about people can be “anonymized” or “de-identified”.

Data about people can no longer be effectively de-identified by removing personally identifying information (PII) from the dataset. Maybe this was generally still possible in 2016, but not any more.

GDPR set off a wave of innovation among data scientists who, like the old game “Name That Tune”, took the new regulation as a challenge and developed numerous ways to re-identify people using only a few data points that aren’t considered PII, techniques they’ve since made widely available. And that was before the recent explosion of AI tools which make re-identification easy without the direct use of such tools. Unfortunately, fully GDPR-compliant “de-identified” data sets are now trivially easy to re-identify for anyone with access to a computer.

(For more details on this topic, see this Harvard paper about “simple” attacks that defeat GDPR’s PSO Secure / “singling out” privacy protection provisions.)

If almost any data about a person is usable to re-identify them, then the whole concept PII is no longer relevant; any data about a person is PII. That is precisely how an AGDPR definition of “personal data” can improve upon the European one: any data about an person. It’s both simpler and more accurate.

2. Include protections for privacy *from government*, in addition to privacy from the private sector.

Europe’s GDPR specifically exempts government, AGDPR should do the opposite: it should bind government’s activities in relation to obtaining, using and retaining personal data.

There are obviously necessary and important reasons for government to obtain, use, and retain personal data, and those reasons should be explicitly enumerated and protected. But the U.S. federal government has gone absolutely bananas when it comes to how much of our personal data they are obtaining about us and our activities, through legal but largely unchallenged means. The degree to which it’s happening is way beyond what’s reasonably needed in a free country that espouses limited government, and that has a Fourth Amendment that secures:

“the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”.

How is data about us not our “effects”? How is government gathering our effects en masse without our explicit consent not “unreasonable”?

Journalist Byron Tau’s new book about U.S. government surveillance of law-abiding citizens, Means of Control, is outrageous. (Summary article here.) You cannot read it and not become deeply alarmed at the enormous, secret, ubiquitous surveillance state that already exists in the U.S. No doubt European governments are doing the same with their citizens’ data, but — and I’m generalizing here — they don’t have the same foundational distrust of government that the U.S. was born with and so may not be bothered enough to do anything about it, as evidenced by government’s total exemption from their GDPR. I hope, and believe, that once more Americans become aware of the extent of what’s happening, an American GDPR that clearly defines government’s role in privacy can become a real, politically viable possibility.

There is a model to follow. Christopher Bramwell, the Chief Privacy Officer of Utah, was the driving force behind a groundbreaking new piece of privacy legislation just enacted in Utah that constrains how personal data must be treated by government, without saying anything about private industry. As far as I know it’s the first of its kind, anywhere, and hopefully the first of many to follow in other states and countries. This bill gained a fortunate political boon as it advanced: it became a ‘vote against privacy’ to not support it; it passed unanimously.

Of course, privacy from big tech, surveillance capitalism, and private industry in general is a big deal, but private industry doesn’t have a monopoly on violence and taxes like government does; they mostly just want to sell me stuff. Still, the European GDPR shows an example of how to constrain private industry, and an American GDPR should learn from and incorporate those lessons.

The ideal outcome of an AGDPR would provide privacy both from private industry and from government, and finally put a halt to all federal activities of indiscriminate obtaining, using, and retaining of our personal digital “effects”, whether or not they’re considered PII.