Several Senate Democrats have proposed a Data Care Act. It seems obvious that there is pressure for politicians to impose expectations on online companies to address concerns for the use and protection of user information. I have concerns that Republicans whether they object to this proposal or note will refuse to consider legislation offered by Democrats. However, the public should be made aware of the specifics of this proposal.
I see the proposal as consisting of two components – a) what are the responsibilities of providers to protect data and to inform users when protective measures fail and b) what are the responsibilities for how companies use the data collected.
I have minor concerns about both provisions. First, I think it impossible to absoluately protect data. Hence, the proposed penalties when some data are compromised (e.g., medical records) are possibly unfair. The way I read experts on hacking it is impossible to protect data that are accessible on the Internet and what responsible efforts at protection should be specified.
An important section of the proposed legislation related to the use of data follows.
shall take reasonable steps to ensure
6 that the practices of any person to whom the
7 online service provider discloses or sells, or with
8 whom the online service provider shares, indi-
9 vidual identifying data fulfill the duties of care,
10 loyalty, and confidentiality assumed by the per-
11 son under the contract described in subpara-
12 graph (B), including by auditing, on a regular
13 basis, the data security and data information
14 practices of any such person.
I guess a strict interpretation of this section would satisfy my basic concern, but I am against the sharing of personal data from one company to another. My logic goes something like this. I assume I enter into an implied contract when I use a service that collects my data. I assume that I am “paying” for the service by accepting the visibility of ads and the collection of my data to personalize these ads. I am not agreeing to having my data shared with unknown others even if this process is intended to improve the personalization of the ads I receive. It is my lack of awareness of just who these other companies are that is at issue. I can deal with ads I know are ads (I guess this is also my assumption) and with my interpretation of the motives of the company accepting my payment for the free accesss to a service provided.
This perspective concerns my right to informed choice. I can make a decision not to spend money in Hobby Lobby or Chick-fil-A as a function of my opinion regarding how a part of my money might be spent. I assume the same right when it comes to Google or Facebook. I cannot exercise this right if Google or Facebook has shared my data (my payment) with organizations not made known to me.