Communications of the ACM

repeated phone calls and email messages for comment for this article.

Lan Jenson, CEO of Adaptable Security, a non-profit organization dedicated to protecting society from cybercriminals, says there needs to be a compromise between those who want IT regulation and those that believe regulation simply stifles innovation and competition. Furthermore, in the absence of specific regulations, Jenson believes there should be a concerted effort to help smaller and new market entrants address the root problem of data security and privacy. Several non-profits are working to address the issue, including:

˲Jenson’s Adaptable Security, which provides pro bono or at-cost consulting services;

˲ the Global Cyber Alliance, which offers free cybersecurity toolkits for SMBs, and

˲ the National Cyber Security Alliance, which offers free informational webinars, is trying to help smaller organizations provide better data security for their users.

Regardless, coming to agreement on what should be regulated, which authority should be responsible for writing and enforcing the regulations, and how penalties should be meted out is likely to be challenging, according to David Weinberger, a senior researcher at Harvard University’s Berkman Klein Center for Internet & Society, and author of Everyday Chaos: Technology, Complexity, and How We’re Thriving in a New World of Possibility. “I can certainly see regulators stepping in, one way or another,” Weinberger says.

However, the details of how federal
regulation of data privacy and security
will be applied are unlikely to be re-
solved in the near term, largely due to
multiple competing interests on both
sides of the political aisle, explains
Grimmelmann.

“I expect this is something we’ll still be grappling with 10 years from now,” Grimmelmann says. “If this were a simple left/right political issue, you would expect that when you have Republicans in control, they would pass legislation that they agree on, but they don’t. You have some Republicans who are highly libertarian about technology, and some who are very skeptical about tech. You have some Democrats who are very friendly with technology, and others who are very skeptical about big tech and its effect on the democracy. And as a result, you don’t get a simple coalition in Washington that’s going to say, ‘OK, you’re in power now, you’re going to impose our preferred privacy and other tech regulations’.”

Further Reading

Adaptable Security https://adaptablesecurity.org/ California Consumer Privacy Act https://www.caprivacy.org/ Cybersecurity Information Sharing Act https://www.congress.gov/bill/

114th-congress/senate-bill/754

Cybersecurity Enhancement Act of 2014 https://www.congress.gov/bill/

113th-congress/senate-bill/1353/text Federal Exchange Data Breach Notification Act of 2015 https://www.congress.gov/bill/

114th-congress/house-bill/555

General Data Protection Regulation https://eugdpr.org/ Global Cyber Alliance https://www.globalcyberalliance.org/ National Cybersecurity Protection Advancement Act of 2015 https://www.congress.gov/bill/

114th-congress/house-bill/1731

National Cyber Security Alliance https://staysafeonline.org/ Telecommunications Act of 1996 https://transition.fcc.gov/Reports/ tcom1996.pdf Mark Zuckerberg: The Internet needs new rules. Let’s start in these four areas, The Washington Post, March 30, 2019 https://wapo.st/2R3hYlg

Keith Kirkpatrick is principal of 4K Research & Consulting, LLC, based in Lynbrook, NY, USA.

eral Data Protection Regulation (GDPR), which regulates the handling and privacy of the data of individual citizens of the EU and the European Economic Area (EEA), and also addresses the export of personal data outside the EU and EEA regions. Because multinational companies operate both within the EU and beyond it, some companies are applying GDPR rules across all of their customer base, thereby providing indirect regulatory control to areas such as the U.S., which does not have a national regulatory framework covering data privacy or security.

“Many companies at this point would be fine complying with GDPR, with similar rules worldwide, and many companies, in fact, have done that,” says James Grimmelmann, a professor of law at Cornell Tech and Cornell Law School. However, given the restrictive nature of some of the components of GDPR, such as the requirement that individuals can request erasure of personal data related to them on any one of a number of grounds within 30 days of its publication, certain business models may not be compatible with GDPR.

“It may be that the kind of ad net-
works that Facebook and Google use
simply can’t operate under GDPR,”
Grimmelmann says, adding, “it will
take a few years to find out whether
that’s the case or not.”
While efforts to protect individu-
als’ privacy and personal data in the
U.S. are under way, much of the work
being done is at the local or regional
level, rather than the federal level. For
example, the California Consumer
Privacy Act was signed by then-gover-
nor Jerry Brown last year and is set to
go into effect in January. The Act con-
veys three main rights to consumers
in California: the right to know what
information is being collected about
them; the ability to tell a business
not to share or sell their personal in-
formation; and the right to have data
protections put in place by companies
that collect and store personal data. It
should be noted, however, that Cali-
fornians for Consumer Privacy, the
group that initial spurred the legisla-
tion, does not appear to be pushing
for similar nationwide regulation, and
no one from the group responded to