The COVID-19 pandemic has laid bare our reliance on technology and data while forcing millions of Californians to work and attend school virtually. The pandemic has also opened a Pandora's box of technology challenges for consumers and policymakers alike -- including very real concerns related to data-driven racial profiling and bias.
Data is the oil that drives the California and global economy, and businesses like retailers, banks and airlines need it to effectively run their daily operations. But concerns about consumer privacy continue to mount.
On July 16, the European Union's highest court, the European Court of Justice, invalidated the EU-U.S. Privacy Shield program, a vehicle for responsibly moving data from the EU to the United States. The ECJ decision claimed that U.S. privacy laws were inadequate because of the government's national surveillance powers. The ECJ decision also reflected a desire for other reforms.
Why should Californians care what a distant EU court thinks about consumer privacy?
In a word, jobs. Secretary of Commerce Wilbur Ross has warned of the decision's negative impact to the $7 trillion-plus transatlantic trade relationship. Many of these jobs, especially technology-driven ones, deliver paychecks across Silicon Valley that also boost the local economy.
Assuming the U.S. surveillance concerns raised in the ECJ decision are resolved politically, there is an additional hurdle to address. The EU needs to see that U.S. privacy law is "essentially equivalent" to the EU's regulations to allow the transfer of consumer data to the United States.
Yet there is no national U.S. law of the necessary breadth and depth that currently meets this standard, notwithstanding the fact that both businesses and consumers have increasingly cried out for federal legislation.
A new initiative on California's November ballot, Proposition 24, the California Privacy Rights Act, offers a potential solution to the EU's call for action.
Prop. 24 would amend existing California law to include many protections harmonious with European privacy law.
It would enshrine data transparency; create new rights for consumers (defined as all California residents) to limit the use or disclosure of sensitive data, including racial and ethnic data; expand access and deletion rights in keeping with EU law and rights to be forgotten for California residents; provide clearer rights with respect to automated profiling systems; and establish a new California Privacy Protection Agency to enforce these measures.
All these provisions would be necessary to bring an American law closer to matching "adequacy" with the EU.
Paired with political negotiations regarding foreign surveillance, the CPRA would provide a set of concrete protections for U.S.-EU policymakers to discuss within a newly revived cross-Atlantic data-sharing deal, which would offer stronger consumer privacy protections than the Privacy Shield accord.
The CPRA offers the fastest route to a new equilibrium with Europe, restoring a transatlantic data-sharing process that would be efficient and trusted by most stakeholders.
It would also critically preclude the need for any new U.S. federal law that would take months, if not years, to be approved by a politically divided Congress in Washington, D.C. And, because of the "California effect," we believe that most companies in the United States would then match their privacy protections to the CPRA.
The current situation is clearly not working for American consumers or businesses. Privacy concerns are rising, and regulators are creating a dense thicket of business rules that, in their disharmony, impose compliance costs and more red tape.
The CPRA is a solution that creates a strong baseline and would establish privacy rights in a robust fashion. It could also help revitalize cross-Atlantic commerce by harmonizing U.S. and EU consumer privacy standards while also giving a much-needed lift to California's economy.