Making internet privacy work for everyone

Making internet privacy work for everyone
© Getty Images

If policymakers worldwide thought grappling with the implications of the European Union’s General Data Protection Regulation (GDPR) was wild, the U.S. is about to launch a whole new privacy-related theme park.

With the looming California Consumer Privacy Act of 2018 due to take effect by January 2020, the U.S. Congress will be under a magnifying glass as it considers its approach to drafting a new federal privacy law to override or compliment California’s. Just this week, there was a House Committee Hearing on protecting consumer privacy and a Senate Committee Hearing on principles for a federal data privacy framework.

Considering any form of privacy legislation that applies to some of the world’s largest tech giants would touch virtually everyone online, U.S. policymakers have a tremendous opportunity to take the lead on healthy privacy laws and regulations that protect both users and innovation online.

Granted, it’s not going to be easy.


Privacy protection is not a new concept. Indeed, most modern laws and frameworks can trace their origins to the principles in the 1980 OECD Privacy Guidelines and the 1981 Council of Europe Convention. However, so much has changed with the advent of the Web, social media, messaging apps, and a global digital economy that it’s hardly a surprise these founding guidelines are more irrelevant each passing month.

Despite attempts to “future-proof” privacy protection, it’s constantly being challenged by the sheer amount of personal data that’s increasingly available. For all of its potential to inspire innovative breakthroughs and solutions to some of the world’s most pressing issues and problems, the Internet is equally as vulnerable to misuse.

Perhaps one of the lessons that hit home hardest, especially in the U.S., was the Facebook/Cambridge Analytica scandal that broke in early 2018. Through an innocent-looking quiz, a data analysis firm was able to collect intimate information on roughly 87 million Facebook users — without their consent — to target ads during the 2016 U.S. presidential election. Not only did it expose the vast power of data to influence populations; it also revealed a chasm in existing privacy protections. And, it damaged our trust of the Internet.

So how do we protect privacy today?

Let’s be honest: Protecting privacy in today’s fast-paced environment is a serious challenge, especially as it’s hard to predict the countless ways personal data could be used and misused.

Nonetheless, policymakers and business leaders can help restore trust online by championing the privacy of everyone online everywhere and standing for genuine and lasting protection of our personal data.

It’s more important than ever that laws and policies created to protect users provide clear, achievable rules for privacy protection that data handlers are proud to champion. It’s also critical to do so in a way that doesn’t harm the infrastructure of the Internet. 

We can start by taking a hard look at how we justify the uses of personal data.


Prerequisites such as “legitimate business interest” and “user consent” were meant to provide fair boundaries, but too often bad practices are excused on the grounds that a user gave consent or it was “needed” for a business purpose. Yet these days, it seems that more often than not we’re asked to agree to terms and conditions that most people never read nor fully understand. The only other choice we have is to not use the service. There is rarely an option to negotiate the privacy terms of service.

In some cases, without us even being aware, our data is used in ways we might never have imagined just because a company decided it was a good idea for its business. To create lasting privacy protection in a world consistently innovating and reinventing itself online, we must ask ourselves the tough and unpopular questions — and keep asking them regularly. Here are a few for starters:

Would a reasonable person consider the collection, use and/or disclosure of their personal data to be legitimate and fair? (Not from the business’s perspective, but from the perspective of society and the individual).

Have we given companies too much freedom to indulge new data uses without additional consent?

Are there some uses of personal data that should simply be no-go zones?

At the same time, we also need to provide tangible incentives for good privacy practices and other ways to achieve personalized services that do not sacrifice privacy. The Internet Society recently published tips for policymakers on signs of a good privacy law framework as a helpful starting point.

With so much focus on privacy in the U.S. this year, this is a great opportunity to challenge our assumptions, ask the tough questions and shift the balance in favor of individuals’ privacy.

There may not be a one-size-fits-all solution, but we can start building trust online by putting concrete safeguards in place to protect our personal data. As the U.S. Congress contemplates its approach to privacy legislation this week, let’s all commit to making it work for everyone.

Christine Runnegar is the senior director of Internet trust at the Internet Society, a non-profit organization founded in 1992 to provide leadership in Internet-related standards, education, access, and policy. She leads the non-profit’s trust agenda which advocates for policies that support an open, globally-connected and secure Internet.