Apuntes sobre la privacidad en las telecomunicaciones en el contexto estadounidense
Como parte de la materia de Derecho y Política de las Telecomunicaciones que estoy cursando aquí, tuvimos que escribir un post sobre uno de los temas tratados en clase. La excusa perfecta para sumar contenido en inglés al blog.
Como aquí se está discutiendo mucho acerca de la posibilidad de una Ley Federal sobre Privacidad me pareció interesante realizar algunos apuntes sobre el modelo europeo de protección de datos que mucho dista del concepto que se maneja de este lado del Atlántico.
Durante mis cuatro meses aquí (sí, ya van cuatro) he asistido a algunos paneles sobre el tema, y la conclusión es que si bien hay consenso acerca de su necesidad (con apoyo de Demócratas y Republicanos), aún se está lejos de aprobarse. Cuando se pasa a afinar el lápiz comienzan los problemas, y teniendo en cuenta que el año que viene hay elecciones, nada hace suponer que veamos una Ley Federal de Privacidad hasta por lo menos 2021.
La tarea consistía en posicionarse como un actor interesado y redactar una entrada para el blog de la organización representada. Elegí hacerlo desde una Organización No Gubernamental en defensa del derecho a la privacidad de los consumidores.
Les dejo abajo las notas, que pueden ayudar a refrescar cuestiones que desde el derecho continental damos por ciertas pero aquí no resultan tan obvias. Además contiene una serie de links externos que resultan interesantes para profundizar el tema.
WHAT LESSONS CAN AMERICA LEARN FROM EUROPE IN TELECOMMUNICATIONS PRIVACY?
After last year’s scandals, there is a growing consensus that America should embrace the idea of a Federal Privacy Law. While some organizations have even presented thorough drafts of how this Act should look like, others have used this opportunity to mask their real intentions of undermining standards set in State Law. Even though there seems to be a general agreement on the need for a Federal rule, details still have to be adjusted.
Fortunately, we are not starting from scratch. Crossing the Atlantic Ocean, the European Union has been building the foundations of modern privacy law since at least 1995 when they approved the Data Protection Directive. This Directive fulfilled its purpose of standardizing the policies across the –before BrExit– 29 countries but proved that more action was needed if they wanted to face the Internet challenges in a responsible and forward-looking way. Thus, in 2016 the European Parliament approved the General Data Protection Regulation or GDPR which came into force in May 2018 and you probably have heard of it.
This long-run experience provides the old continent with invaluable legislative, judicial and administrative know-how from which we can take note. The influence of the European paradigm has spread all over the western hemisphere. Most Latin American countries have adopted constitutional and/or statutory provisions that encompass the European. Let’s say it, in privacy standards, Europe is leading the way.
Telecommunications Privacy is one of the main areas were European regulation has played an important role. From cookies advertisements to mandating Google eliminate search results, the communitarian bodies have, with successes and mistakes, addressed the challenges of the ever-evolving Internet.
With this scenario, we can ask ourselves: What can we learn from the European experience? What should we try to follow when drafting a comprehensive and modern Privacy Federal Law?
Rights and empowerment
The foundation in the European system is the recognition of Privacy as a Human Right either in Constitutional clauses or Legislative Acts. Over this cornerstone, the whole framework puts the citizen first and provides them with the necessary guarantees and safeguards to protect them in every moment, not only with preventive measures but also effective remedies. The consolidation in one set of rules favors the understanding of the population, a vital step to enforce and claim their rights.
In this sense, various decisions that had shaped the regulatory landscape came from individuals asking for their rights. Think of Mario Coteja who led the way to the still controversial Right to be Forgotten in 2014 or Max Schrems who –successfully– contested the Safe Harbor after the Snowden’s revelations. Even civil rights organizations have promoted privacy using strategic litigation and taken down regional agreements that don’t respect individual freedom, such as the Data Retention Directive which was challenged by the Irish Organization Digital Rights in 2014.
On this side of the Atlantic Ocean, the United States has many disparate provisions regarding privacy but fragmented all across the different Federal and State Acts. Only in the Telecommunications sector, we can found provisions in four different acts: The Children’s Online Privacy Protection Act, The Video Privacy Protection Act, The Telephone Consumer Protection Act and, of course, the Telecommunications Act.
This fragmented approach does not collaborate towards the people’s understanding of their rights and the obligations that companies have in protecting their data. Furthermore, some policy signals have been contradictory such as the set of Rules to Protect Broadband Consumer Privacy which was nullified only one year after their adoption.
When drafting a Federal Privacy Law, Congress should consider empowering individuals. A good practice would be to include a private right of action, allowing the citizens to challenge default companies before Courts. The Rights of Access, Rectification, Cancellation, and Opposition (known as ARCO Rights) which are widely recognized across countries that follow the European model, allow citizens to exercise their rights directly and, usually, without cost.
The Data Protection Authorities, or DPAs, have played a central role in the consolidation of the regulatory European framework. Countries created specialized bodies that not only dictate regulations but also penalize companies for misuse of personal data and carry out educational campaigns. The DPAs are also a single point of contact between countries so they can approach cross-border issues in a coordinated manner.
While some have argued that the FTC should be the regulatory body to addresses the privacy issues by gaining more specific powers, there are strong arguments to create a new specialized body that holistically addresses the privacy issues. The FTC has done great in the last years but we cannot continue stretching the boundaries of the regulatory powers of an agency focused on market and business conditions, not human rights.
Having a specialized body raises the attention over Privacy. The agency could coordinate the measures to be taken, resolve minor disputes and generate social awareness campaigns for the society. Moreover, in a dedicated agency, the privacy policies would not have to compete for the budget with other topics such as they have to do in multipurpose agencies.
Probably the scope and reach of this new agency could overlap with the power of other regulatory bodies. But we have to embrace that as a strength: The new agency would have a holistic view of the problems and solutions. A full, 360-degree view would enable better coordination of the different measures to be taken by the stakeholders including companies, non-governmental organizations, and the technical community.
Obligations to companies
With the enforcement of the GDPR, the companies had to raise their privacy provisions in many directions, generating a personal data consciousness unseen before. You may remember dozens of compliance emails that fill up your mailbox around May 2018.
The GDPR mandates companies that handle sensitive information to appoint a Data Protection Officer, a professional delegate in charge of managing the privacy standards of the organization. Furthermore, this appointment is accompanied with the requisite to document all the compliance measures and the development of data protection impact assessments. Even if all big players have already incorporated this practices, the fact that it is a statutory obligationraises the awareness across smaller companies and helps Agencies to communicate with companies more fluently and directly.
But perhaps the most commented novelty of the GDPR came with the monetary aspects. Up to now telecommunications providers and tech companies are under investigation on various countries, looking with extreme cautious the fines after the British Airways case for which the airline had to pay out $ 230 Million for 2018 data breach.
In conclusion, the discussion for a Federal Privacy Act is still open but we strongly believe that many lessons can be drawn from the European Union. We encourage our Congress, as well as other stakeholders, to develop dialogue and exchange experiences with the old continent so we can develop a robust and cross border legislation for Telecommunications services. The outcomes will result in a better understanding of privacy for the Twenty-First Century.