The days of federal privacy laws coming to Silicon Valley may happen sooner than you think. In a much-publicized keynote speech given at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels, Apple CEO Tim Cook gave his full-throated support for a new federal privacy law in the United States that would be at least as stringent as the new General Data Protection Regulation (GDPR) in the European Union. At a time when federal lawmakers in the U.S. are growing weary over the failure of tech giants like Facebook and Google to self-regulate their own businesses, it might finally be time to enact external regulations from above.
Tim Cook’s comments about federal privacy laws
What was striking first and foremost was how firmly Apple’s Tim Cook came out in favor of federal privacy laws. The Western media characterized his presentation as “fiery,” and the speech was clearly designed to grab the attention of the event’s participants. Cook started off by lamenting the current state of the tech industry, where the big tech giants are “weaponizing data” and using all the personal information and personal data they acquire to target and track users wherever they go on the Internet, without the consent of the individual. He then characterized the situation as a “data industrial complex,” clearly echoing President Eisenhower’s comments more than 50 years ago about the dangerous formation of a “military-industrial complex” in the United States.
“This crisis is real,” said Cook. “It is not imagined, or exaggerated, or crazy.” In fact, he claimed that many big tech companies seemed to know customers better than they know themselves. When you combine all the information that is available about many tech consumers – including financial, medical and personal – it is not out of the realm of possibility that Silicon Valley tech giants simply have too much power. Consumers in the U.S. – unlike their counterparts in the European Union – do not have rights to data minimization, disclosure, security or user access. All of these are granted under the terms of the landmark GPDR, which went into effect less than six months ago.
The only real solution to the current state of affairs, suggests Tim Cook, is the passage of federal privacy laws with act requirements that spell out exactly the rights of consumers, much like the GDPR. Within the U.S. context, similar types of federal laws exist for financial information (such as the Fair Credit Reporting Act of 1970 regulating credit reports), for telecommunications information (such as the Telephone Consumer Protection Act of 1991), and health information (such as the Health Insurance Portability and Accountability Act of 1996). So why not similar laws for online information shared with the biggest tech companies in the world? Or at least the creation of a new federal agency with the real power to protect the data privacy of individuals via a new privacy protection act?
According to Colin Bastable, CEO of Lucy Security, public opinion certainly seems to be shifting against Silicon Valley, “Like the auto and tobacco industries years ago, the social media conglomerates are a consumer safety issue. They used to say, ‘What is good for GM is good for America.’ Now Silicon Valley claims to be the arbiter of all that is good for us, but we know how that ends – badly. Social media cyber-insecurity is the ‘Unsafe at Any Speed’ issue of our times.”
Apple vs. Facebook
Without actually bringing up the names of Facebook and Google, Apple CEO Tim Cook was focused enough in his remarks that it was very clear whom he had in mind when he mentioned the term “data industrial complex.” He was clearly sending a shot across the bow at two of Apple’s biggest rivals, Facebook and Google. From Cook’s perspective, Apple is a hardware company and would be much less affected from the application of rigorous new federal privacy laws. Instead, these federal privacy laws might have a crippling impact on Facebook, and to a lesser extent, Google.
In fact, one could argue that the entire basis of Facebook’s business model is the collecting, collating and then selling of personal information to the highest bidder. When advertisers buy ads from Facebook, it is because Facebook does an unparalleled job of delivering the right types of customers. Facebook knows so much about you – where you live, who your friends are, where you went last night, and what you “like” – that it’s a veritable gold mine for potential advertisers.
Just imagine what would happen, though, if federal privacy laws akin to the GDPR went into effect governing information practices, and then enforced by the federal government. Facebook would be much more limited in the type of data that it could collect, and how it could use it. Before any data was shared with a third party (i.e. an advertiser), Facebook would likely have to get your permission. And Facebook would also have to make it much easier to hide social profiles entirely from potential advertisers.
For that reason, it’s easy to see how Tim Cook’s remarks need to be evaluated in a more nuanced way. It’s not that he suddenly “got religion” and became a data privacy convert. That might be part of the story, but it’s easy to see that his direct calling out of the “data industrial complex” was really done for business and strategic purposes. Plus, if you’re giving a keynote speech to an audience at a data privacy conference, what else can you really say? For their part, both Facebook and Google delivered comments via video (but not live in person) at the event, with both showing at least tepid support for strict federal privacy laws.
As Colin Bastable of Lucy Security points out, Apple CEO Tim Cook had a very clear strategic goal for his keynote speech, “Tim Cook takes a break from virtue signaling to throw rocks at Google and Facebook, because he wants to position himself and Apple as the good guys whilst the others are vulnerable. His message is right, but Apple is also part of the problem. These players hold massive quantities of data, and we should never assume that they will ever have our best interests at heart.”
That viewpoint was echoed by Paul Bischoff, privacy advocate with Comparitech.com: “I think it’s important to put his words into context. Apple can ride a moral high horse when it comes to privacy because it does not primarily depend upon targeted advertising and the collection and sharing of personal data to make money. Most of its competitors do, namely Google. Advocating for privacy laws is a practical way for Apple to indirectly lobby against Google.”
Are federal privacy laws coming in 2019?
Perhaps the big takeaway lesson from all this is that the big Silicon Valley giants have resigned themselves to the fact that more regulation is coming, and they’d better get out in front of it. The goal here, of course, is to weaken any federal privacy laws that might go on the books, and the way to do that is by helping to shape public opinion. If the likes of Facebook and Google can convince the American public that federal privacy laws will have a chilling effect on free speech, innovation and the American way of life, then that might be a way to cool down some of the rhetoric coming out of Washington, D.C. these days. At the very least, the big tech giants are hopeful that federal privacy laws will be more lenient than regulation currently being prepared in states like California.
Along the way, of course, there will certainly be compromises. As Paul Bischoff of Comparitech points out, regulators need to take a big picture view of the situation: “I think we’d all like to see a world in which our personal details weren’t treated as currency by corporations. But we also want affordable devices. Targeted advertising helps subsidize cheap Android smartphones, which improves Internet penetration among many people in the world who can’t afford iPhones. That includes many developing nations where many people access the World Wide Web for the first time via budget Android smartphones. To take budget devices out of the market because they don’t align with Cook’s vision of privacy law seems cruel to me. The law should strike a balance between these two business models and remain skeptical of both sides’ profit motives.”
With just two months to go until the end of the year, and plenty of attention being diverted to the midterm elections in November, it’s unlikely anything will change in 2018 when it comes to privacy law. But comments similar to the ones that Apple CEO Tim Cook made in Brussels will surely play a role in shaping the narrative headed into 2019. If personal information really has been weaponized, as Cook suggests, then there is sure to be a big push to take away those weapons over the next 12 months.