Currently in the United States, there is a patchwork of laws governing how various types of data are handled—health, financial, etc.—but there isn’t a clear set of rules for Silicon Valley giants that traffic in vast amounts of information sharing. As a hardware networking giant, however, Cisco does not profit from user data in the same way that a company like Google or Facebook does.
In a blog post, Cisco’s top lawyer, Mark Chandler, called the current legal framework "not adequate." Cisco hasn’t put forward specific bill language just yet; it is speaking for now in generalities.
Particularly in the wake of the Cambridge Analytica scandal, along with the recent passage of the GDPR in the European Union and California’s own new privacy law, companies have been pushing Congress to regulate their industry like never before. Some lawmakers have taken notice and have introduced their own bills, but none have gotten far in the process just yet. Other states, like Washington and Massachusetts, are proposing their own privacy bills, too.
"What we don’t need is more fracturing," Michelle Dennedy, Cisco’s chief privacy officer, told Ars.
A former member of the Federal Trade Commission, Maureen Ohlhausen, told Ars that while the GDPR has "some good concepts," it may not be fully appropriate for the US, as elements of the law can clash with the First Amendment. The GDPR also relies on each member state’s data protection authority, a government agency that the United States lacks.In the US, the FTC is the de facto privacy regulator, but the primary way the agency enforces privacy under Article 5 of its legal mandate is largely to make sure that companies are complying with the privacy laws that they themselves outline in their lengthy terms of service. The FTC can enforce those rules under consent decrees.
"I think that many companies will be interested in an approach that focuses on consumer expectations rather than excessive notification, targets harmful uses of data, is technologically neutral, avoids a patchwork of laws that may fragment our successful national market, and gives the FTC some additional resources," Ohlhausen said.
Still, Cisco and other companies’ sudden change of heart is somewhat odd, according to Ashkan Soltani, a former FTC technologist and current independent privacy researcher based in Oakland, California. Soltani helped author the new California Consumer Privacy Act of 2018 (CCPA), likely the strongest state-level regulation currently in place—it will take effect in January 2020.
"It’s ironic that for years, as long as I’ve been here, companies have said that we can self-regulate; we don’t need any federal regulation," Soltani told Ars. "But then as soon as there are state initiatives, the companies are, like, ‘It’s time for federal regulation!’"
Soltani added that numerous companies are trying to lobby state capitals to shape both California’s law and those of other states that are putting forward similar measures, while at the same time trying to direct the federal government toward something palatable. "The ultimate worry is that, because of a combination of laws like CCPA and just the actions of the big players ruining or tainting the ecosystem, they want to get ahead and [not] disadvantage their specific industry," he said.
That assertion tracks with what at least some privacy lawyers have observed.
"If you read between the lines, Cisco is calling for a law similar to GDPR," Susan Lyon-Hintze, a Seattle-based attorney, told Ars. "They want an enforceable law, but enforceable by governmental agencies and not by individuals and plaintiff lawyers. Tech companies all want to avoid costly litigation."
reader comments
64