With public trust in large tech companies at an all-time low, Congress is once again considering comprehensive data privacy legislation. But the rise of blockchain technologies and the nascent decentralized web mean that these comprehensive proposals are already behind the times. Without major revisions, these legislative proposals risk strangling decentralizing technologies in the cradle.
The 118th Congress has held many hearings on data privacy, and it is crucial that lawmakers consider how their proposals might impact technological innovation. In order to properly balance conflicts between individuals’ right to control their information and the necessity of innovation, lawmakers should abandon one-size-fits-all proposals in favor of the time-tested, sectoral approach to data privacy.
While there are several comprehensive data privacy bills floating around Capitol Hill, the one that has the most momentum is the American Data Privacy Protection Act (ADPPA). This bill would strictly govern how companies collect, process or transfer user data by requiring companies to minimize data collection and grant consumers the right to opt out of data collection, among other things.
The ADPPA is a well-intentioned piece of legislation designed to give consumers more control over their information. The bill also reflects the desire of many lawmakers to avoid a patchwork approach to data privacy by creating a national standard of comprehensive privacy protections.
Unfortunately, when it comes to data privacy rules, the past is prologue. Similar approaches to comprehensive data privacy protections have failed to account for nascent technologies, such as blockchain networks, significantly chilling innovation. For evidence of this, look no further than the European Union’s General Data Privacy Regulation (GDPR).
In addition to inhibiting investment and innovation in traditional tech industries, the GDPR is wholly incompatible with decentralizing technologies like blockchains that lack centralized controllers. In fact, the European Parliamentary Research Service admitted as much in a 2019 report. One of the biggest incongruities between the GDPR and blockchain technologies is the question of what entity is being regulated.
Among more traditional internet companies, it is relatively easy to determine who is collecting, processing and transferring data because they are usually centralized. In a decentralized system like a blockchain network, that question becomes significantly more difficult to answer. When thousands of computers are operating open-source code to verify public transactions, who or what is collecting, processing or transferring covered data? Like the GDPR, the ADPAA is silent on this question as well as numerous others relating to how decentralized networks would have to comply.
The European Union’s response to such incongruity in the GDPR is that innovators should build technologies that comply with the law in spite of the fact that doing so is practically impossible. This burdensome requirement has helped lead to a dearth of technological innovation across Europe. The same is likely to happen here if the United States were to implement the ADPPA as written. Many blockchain projects would move offshore or shut down altogether, taking with them enormous potential for economic growth and innovation.
Fortunately, there is an alternative approach that the U.S. could take that could simultaneously limit the problems of a patchwork approach to data privacy law and allow flexibility for innovative technologies. The answer is to break up comprehensive data privacy proposals into nuanced, sector-specific bills. For example, Congress could pass legislation laying out data privacy rules targeted specifically at e-commerce sites and social media services or even update existing laws like the Children’s Online Privacy Protection Act that governs data collection for minors rather than make omnibus, one-size-fits-all rules.
Historically, this is the approach that the U.S. has taken to data privacy in other industries. From laws about financial information to healthcare information, policymakers have traditionally created data privacy rules that are narrowly tailored to specific contexts. The Health Insurance Portability and Accountability Act, for example, governs the flow of healthcare information, while the Gramm-Leach-Bliley Act was designed to protect consumers’ financial privacy. These rules almost always preempt state-level rules and are generally more politically palatable than sweeping one-size-fits-all legislation.
Through a sectoral approach to data privacy legislation, lawmakers can create rules tailored to different contexts that harmonize with blockchain technologies. If lawmakers believe that a sectoral approach does not go far enough toward protecting consumers’ information, then they should at least draft comprehensive data privacy legislation in a way that won’t harm innovation and force innovators offshore. After all, there’s a reason most of the best and brightest technologists choose to live, work and build in the United States. It would be foolish to push them and their innovations away with short-sighted legislation.
Luke Hogg is a policy manager at the nonprofit Lincoln Network in Washington, D.C., where he focuses on the intersection of emerging technologies and public policy.
The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.