When he’s not sounding those warnings through opinion pieces sounding the bell about the erosion of safe harbor protections under section 230 of the Communications Decency Act, he’s raising the alarm more directly through proposed legislation.
Wyden’s latest warning shot comes in the form of a “discussion draft” of a new bill called the “Consumer Data Protection Act.”
In a statement announcing the release of the discussion draft, Wyden came out swinging about the need for legislation which will “create radical transparency into how corporations use and share their data.”
“Today’s economy is a giant vacuum for your personal information,” Wyden said. “Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared.”
“It’s time for some sunshine on this shadowy network of information sharing,” Wyden added. “My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
When Wyden says his bill introduces “tough rules with real teeth,” he’s not kidding. Section 4 of the bill provides civil penalty authority to the Federal Trade Commission to levy fines “which shall be not more than an amount that is the greater of $50,000 per violation, taken as an aggregate sum of all violations, and 4 percent of the total annual gross revenue of the person, partnership, or corporation for the prior fiscal year.”
Far tougher, though, is the penalty contemplated for corporate officers who falsely certify the annual reports which would be required under the bill. Certifying a report which the officer knows “does not comport with all the requirements set forth” is punishable by up to $5,000,000 in fines (or 25% of the largest amount of annual compensation the officer received during the prior 3-year period) and imprisonment of up to 20 years.
While Wyden’s bill is merely a discussion draft at this stage and may never be debated or voted upon in its current form, it is already being applauded for helping to frame a much-needed debate on consumer data privacy.
“This is an important and thoughtful contribution to the long overdue debate we’re having about privacy law in America,” said Justin Brookman, Director of Privacy and Technology Policy at Consumers Union. “Consumers Union sincerely appreciates Senator Wyden’s continued leadership on defending consumer rights.”
The proposed Act isn’t just about data crime and punishment, of course. Section 6 of the bill would create a “do not track” data-sharing opt-out which would take effect no more than two years after its passage. The opt-out would be administered through a website which would allow “consumers to opt-out of data sharing, view their opt-out status, and change their opt-out status.”
The requirements of the Act also include offering consumers a way to “review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it,” provide for the hiring of “175 more (FTC) staff to police the largely unregulated market for private data” and require companies to “assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security,” according to an information sheet Wyden provided along with press release announcing the publication of the discussion draft.
Wyden’s bill is not without its skeptics and critics, of course. Jake Williams, the founder of Rendition Infosec warned people not to “celebrate too hard at the thought of jailing CEOs for failing to protect data.”
Dear infosec (pardon the thread),
Don't celebrate too hard at the thought of jailing CEOs for failing to protect data. First, it won't pass. Even if it does, it won't mean what you might think. It won't create a SOX style environment around cyber. Sorry 1/ https://t.co/g0cVj6fj4a
— Jake Williams (@MalwareJake) November 1, 2018
“Lots of innovation occurs when people can try new ideas in a (mostly) judgment free zone,” Williams added. “That won’t happen under this sort of legislation. Old IT nerds know the adage ‘nobody ever got fired for buying IBM.’ Expect more technology consolidation under this too.”