I learned to fly Navy jets in South Texas where the summer heat is oppressive and the thunderstorms are fearsome. From May - September, haze often masks these convective monsters. Our rule: if there’s any doubt, give summer weather
a wide berth. So, after a flight where I almost stumbled into a TS4 behemoth, my flight instructor offered that “not making a decision IS a decision”. That’s stuck with me.
His words come to mind when I consider Washington DC’s stalled approach to protecting consumer privacy and regulating the downside of new technologies, including facial recognition, machine learning and AI.
On the surface, there’re signs of progress. Arch-conservative Jim Jordan (R-OH) and liberal champion Alexandria Ocasio-Cortez (D-NY) see eye-to-eye on little, but they both agree that facial recognition needs to be regulated.
Even the tech firms, including newly-minted free speech champion Mark Zuckerberg, are asking for federal consumer privacy legislation. Still, DC gridlock is winning the day -- no consumer privacy legislation is moving. And Congress,
by not seizing the momentum, is collectively making a decision not to make a decision.
Nature abhors a vacuum – at least according to Aristotle or Einstein. So, when these new technologies create sufficient harm (happening now), its victims get angry, assemble and look for someone to protect them. With DC gridlocked,
other government entities have stepped in to fill this void.
Out of necessity, the first to step up have been local governments. City councils like San Francisco and Somerville, MA have passed consumer legislation banning technologies like facial recognition outright. Detroit is allowing its
continued use by the police, but with restrictions.
And then there’s Europe.
I’d wager that the most powerful person in tech that you’ve not heard of is Margrethe Vestager, the EU’s former Commissioner of Competition and newly-minted Executive Vice President. Vestager, a Danish bureaucrat,
is currently more influential is setting U.S. consumer privacy legislation than anyone inside of the beltway. Let me explain.
Europeans view Silicon Valley’s market power differently. Across the Continent, Europeans worry they’ve become America’s technology colony. They’re angry. To them, American tech giants abuse their consumers’
privacy, don’t pay sufficient taxes, and suffocate entrepreneurs.
And, the Europeans have struck back -- to date, fines have been their primary revenge. They’ve imposed some big ones, for example: €8.3 billion against Alphabet and a €14 billion back-taxes bill to Apple.
With Vestager’s promotion, Europe has expanded its mandate. Expect new EU regulations around consumer privacy that include limiting facial recognition, machine learning and AI. Vestager is also spearheading new tax enforcement
and heighted anti-trust moves.
Why these EU moves matter in the U.S.
The EU’s regulatory actions and penalties are being closely watched by US state capitals – notably Sacramento and Albany. Just as GDPR provided the underpinnings for Cal Privacy, so too can upcoming EU rulings influence
these state legislatures. At the same time, expect state attorneys general to study European penalties closely to see how they can be applied in their jurisdictions.
More important still, when a big state (say California or New York) enacts complex legislation, the historical pattern is that this becomes the federal standard. Look how California’s auto emission rules have become the de-facto
standard. This same thing is happening with consumer privacy. Rena Mears, an attorney at DLA Piper, stated that “99 percent of [her] clients are making Cal Privacy their de-facto consumer privacy policy.”
U.S. companies are faced with a tough choice: to apply strict first-mover standards like California’s to their national business, or slice and dice their business to comply to the emerging patchwork of international, state, and
local legislation. CFOs hate the first option as much as general counsels hate the second.
As a CISO, you’ll need to Observe, Understand & Act
Observe: Watch Europe. Europe currently serves as the ‘test-bed’ for US consumer privacy regulations. Expect this to continue. Partner with a trusted European colleague on your risk or legal team to help
get ahead of upcoming rulings. Building this relationship proactively will give you an in-the-know ally to help you interpret new regulations and to understand legislative intent.
Understand: Beef up your state regulatory awareness. Ask your outside legal counsel for a briefing on how your industry peers are complying with the growing hodgepodge of state and local consumer privacy regulations.
Understanding your peers’ actions will inform your thinking as legislation crystallizes in Sacramento, Albany and Springfield.
Act: Weigh the short-term cost savings vs. long-term headaches of taking a piecemeal approach. Privacy compliance will become more muddied over the coming 24 months as state and local actors enact privacy statues that
you’ll need to comply with. Get time with your general counsel and head of comms to build a playbook for building a coherent response.
Remember, regulators are often as interested in your intentions as they are in your compliance with the letter of the law. If you adhere to stricter standards early on, and in good faith, you can reduce the chance of opportunistic
state and local regulatory actions. Always leave a paper trail that explains both your compliance steps AND your good-faith intentions -- just in case things don’t go to plan.