US draft bill moots locking up execs who lie about privacy violations

Company bosses could be thrown in jail for up to 20 years if they aren't straight with US regulators about privacy violations under a law drafted by senator Ron Wyden.

The Democrat has proposed a new privacy bill for the US, with the short title of the Consumer Data Protection Act (PDF), which aims to address the hole in national rules.

The rights proposed under the bill chime with those granted under the European Union's General Data Protection Regulation and California's privacy law.

It aims to boost transparency from companies collecting, storing and sharing data, and grants people the right to review what personal information a company holds on them, learn who it has been shared with or sold to, and to challenge inaccuracies in it.

And, in contrast to the US government's own, rather toothless, attempt at privacy rules, which set out plans for a voluntary framework with no legislation or fines in September – Wyden's is penalty-heavy.

For first offences, it proposes fines of up to $50,000 per violation, taken as an aggregate sum of all violations, or 4 per cent of the total annual gross revenue. The GDPR allows for fines of $20m or 4 per cent of total revenue, whichever is greater.

But the senator goes further than this, mooting jail time for execs if their companies don't play by the rules.

Companies targeted by the rules are those that slurp up info on more than 1 million consumers and have annual revenues of $1bn more, or smaller firms that gather data on 50 million people or more.

They will be required to submit an annual data protection report to the Federal Trade Commission, which describes whether they have complied with the rules. In cases where a company didn't, it must explain the violation and how many people were affected.

The report must be accompanied by a written statement from the CEO, the chief privacy officer and the chief information and security officer. And if they certify a statement knowing the annual report doesn't comply, they can be fined multimillion-dollar sums or imprisoned for up to 10 or 20 years, depending on their intentions.

In addition to these annual reports, the bill would also require companies to assess the algorithms that process consumer data, to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

Any companies using automated decision systems would have to publish an impact assessment that evaluates the system and its development process, and the benefits and costs of the system in the context of its purpose.

This would include the design and training data used and how it could impact accuracy, fairness, bias, discrimination, privacy and security, in the context of practices like data minimisation, what information is given to consumer and whether they can access and correct results.

Opt out or pay up

A big chunk of Wyden's bill focuses on opt-outs, central to which is a Do Not Track data sharing opt-out website that the Federal Trade Commission (FTC) would need to implement and maintain.

This would allow people to set a cover-all policy saying they don't want companies to share their information with third parties, and the FTC will keep a record of the date and time when they opted out.

Companies would have to check this site and comply with each person's status, with the bill suggesting the FTC creates some sort of API to allow them to monitor the site. The commission may charge a "reasonable fee" for the API to cover the costs of operating the opt-out registry and access to the system.

Consumers must be able to use the site the check and change their opt-out status – again, the bill also said this could be through the API – and these statuses should only be shared with companies in a privacy-protecting way so that only opt-out status, and no other personal information, is handed over.

Under the bill, there would be exceptions when companies don't have to comply with a request, such as if the company needs to share the data in order to provide the service the consumer asked for, or when disclosures are required by law.

Companies can ask consumers to free them from this tracking opt-out – but in order to do so, they have to be much more transparent with consumers, giving them a list of the third parties, the data that will be shared and how it will be used.

Wyden's bill also allows for companies to make consent a condition of access to a product or service – but if this is the case, the company has to offer customers a way to pay for a similar product or service at the same time.

This fee "shall not be greater than the amount of monetary gain the covered entity would have earned had the average consumer not opted-out," the bill said. It doesn't detail how this might be calculated or assessed by the regulator.

FTC to add 175 staffers to enforce bill

The senator also acknowledges the extra burden enforcing the bill would place on the FTC, proposing that it hires 175 more staff to "police the largely unregulated market for private data".

The commission will establish a Bureau of Technology, the bill said, with a chief technologist appointed by the FTC chairman and staffed by 50 people "with expertise in management, technology, digital design, user experience, product management, software engineering, and other related fields to technologist and management positions".

Twice as many staff will be hired in the Division of Privacy and Identity Protection of the Bureau of Consumer Protection, with the remaining 25 being recruited to the Division of Enforcement of the Bureau of Consumer Protection.

The bill has won praise from privacy advocates. DuckDuckGo CEO Gabriel Weinberg said: "By forcing companies that sell and monetize user data to be more transparent about their data practices, the bill will also empower consumers to make better-informed privacy decisions online, enabling companies like ours to compete on a more level playing field."

However, given the lobbying power of the tech giants in the US – and efforts to take out the Californian law – it seems unlikely the bill will pass as it stands. Perhaps the best outcome is that it will provides a blueprint for those pushing for better privacy laws to wield in debates. ®