Why US data privacy laws go against what the people want
Profit before people
What does the U.S. public think about data privacy?
When we talk about data, we generally mean theinformation that is collected when people receive services or buy things in a digital society, including information on health, education and consumer history. At their core, data protection laws are concerned with three questions: What data should be protected? Who can use the data? And what can someone do with the data?
Our team conducted a survey of over 500 U.S. residents to find out what uses people are most comfortable with. We presented participants with pairs of 72 different data use scenarios. For example, are you more comfortable with a business using education data for marketing or a government using economic activity data for research? In each case, we asked participants which scenario they were more comfortable with. We then compared those preferences with U.S. law – particularly in terms of types of data being used, who is using that data, and how.
Under U.S. law, the type of data matters tremendously in determining which rules apply. For example,health dataisheavily regulated, whileshopping data is not.
But surprisingly, we found that the type of data companies or organizations use was not particularly important to U.S. residents. Far more important was what the data was being used for, and by whom.
The public was most comfortable with groups using data for public health or research purposes. The public was also comfortable with the idea of universities or nonprofits using data as opposed to businesses or governments. They were less comfortable with organizations using data for profit-driven or law enforcement purposes. The public was least comfortable with businesses using economic data to increase profits – a use that iswidespreadandloosely regulated.
Overall, our results show that the public tends to be more comfortable with altruistic uses of personal data as opposed to self-serving data uses. The law more or lesspromotes the opposite.
What’s allowed, what’s not
Ideally, data protection laws would limit the most risky data uses while permitting or even promoting beneficial, low risk activities. However, this is not always true.
For example, one federal lawprevents sharing records of substance abuse treatmentwithout an individual’s consent. It is, of course, beneficial in many cases to protect these sensitive records. However, during the ongoing opioid epidemic, these records could providecritical informationon where and how to intervene to prevent overdose deaths. Worse yet, when only certain data is withheld for privacy, the remaining data can actuallymislead researchers to make the wrong conclusions.
Sometimes, laws permit data use in ways that theU.S. public findstroubling. In most U.S. business contexts, using personal information for profit – for example, a company using personal informationto predict customers’ pregnancies– is legal if this action is covered by a company’sprivacy notice.
The American public’s awareness of and uneasiness with how companies use personal information has pushed lawmakers toexplore new data regulations. Experts have argued that the status quo – a confusing patchwork of privacy laws –is inadequate, and some have argued forcomprehensive privacy laws.
In the absence of federal legislation, some states have voted to put more comprehensive laws into place.Californiadid in 2018 and 2020,VirginiaandColoradoin 2021, andother states are likely to follow suit. If new laws are going on the books, we believe it is vitally important that the public has a say on what data uses should be restricted and which should be permitted.
How would good data privacy laws help?
Every year,hundreds of thousands of Americans diebecause of social factors like education, poverty, racism and inequality, and there are protected data sets that public health officials, researchers and policymakerscould use to promote the common good.
The data-use case with the most public support is when researchers use education data for public health. Importantly, research shows that nearly250,000 U.S. deathsannually can be attributed to low education – for example, a person having less than a high school diploma – and low education can contribute topoor nutrition, housing and work environments. Butfederal education privacy lawlimits groups from accessing education records for public health or any health research. In this case,U.S. data protection lawsseverely restrict researchers’ ability tounderstand these deaths or how to prevent them.
The data exists to better understand many other complex problems – like racism, obesity and opioid abuse – butdata protection lawsoftenget in the wayof health authorities or researchers who want to use it.
Our research suggests that current legal barriers that prevent using data for the common good stand in stark contrast to the public’s wishes. As laws are revised or put into place, they could be designed to represent the public’s desires and facilitate research and public health. Until then, U.S. data privacy laws will continue to favor profit over the public good.
Article byCason Schmit, Assistant Professor of Public Health,Texas A&M University;Brian N. Larson, Associate Professor of Law, Legal Argumentation and Rhetoric,Texas A&M University, andHye-Chung Kum, Professor of Public Health,Texas A&M University
This article is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
