- Can you demonstrate the provenance of every phone number, email address and other contact mode on your phone? Note people's birthdays? Sure, you only want to target companies. Make sure you choose your acquaintances wisely, I guess, or make sure you record their grant of permission to email them, because people abuse laws like this to harass each other every single day.
- This also punishes possession, not use. If you think about that for a minute, it should become clear both how this doesn't attack the right problem, and how companies would evade it.
- Finally... how are you going to audit Ford or Geico? Honest question. Who pays for the audit of "every piece of unattested PII on every individual"? How often, what is the dispute mechanism, and who administers that? Seriously - this sounds like a job for a new agency combining significant portions of the IRS, the FBI and PwC.
If companies were immune to data breaches or leaks, then maybe this wouldn't be such a big deal. But I don't trust most companies to securely hold my data, even if they don't use it at all.
And besides, by the time a company uses the data in a privacy-destroying way, it's too late. The cat is out of the bag. Sure, the law against use could serve as a deterrent, but companies will push the law past the breaking point all the time. If you make possession trigger legal action, you can mop these things up before they get to use your data. Sure, you still have the problem of finding out about that possession. But also consider that if you have laws against possession and "bad" use, and a company does something, you can charge them for both things and hurt them more. That's a larger deterrent.
Yes. There are many laws (e.g. accounting) that only apply to companies, when it's scale that amplifies harm.
> possession, not use
How are they different, in this context? The latter requires the former, and the former is unprofitable without the latter.
> how are you going to audit Ford or Geico?
As you note, similarly to how we audit now, albeit hopefully more proactively. If the law requires a signed off third-party PII audit, and holds an auditor legally liable for signing off on one... I expect the problem would (mostly) take care of itself.
PII is always going to be a game of edge cases, but we've managed to make it work with PCI and PHI in similarly messy domains.
Right now, companies have GDPR & CCPA to nudge them in data architecture. National laws would just further that. I can attest to major companies retooling how they handle and track consumer data just due to the CCPA.
I thonk we are both arguing that clear consent must be present, and the customer must have clearly agreed to whatever you are doing with the data - that appears similar to GDPR.
However, how do you prove John Doe has actually agreed to this? What if John says he did not click accept button? Do we require digital signature with certificates, given that most people don't have them or know how to use them?
I think the problem is more tractable for physical products running firmware - there you have real proof of purchase, and, at present, firmware that does whatever it wants.
It's analogous to the credit card fraud problem, no? E.g. disputing charges and chargebacks?
I don't work in that space, but my understanding is that the card processors essentially serve as dispute mediators in those instances.
So it would seem unavoidable (although not great) to have some sort of trusted, third-party middle person between collectors and end users, who can handle disputes and vouch for consent.
Blockchain doesn't seem like a solution, given that the problem is precisely in the digital-physical gap. E.g. I have proof of consent (digital) but no way to tie it to a (disputed) act of consent (physical).
> If your company has PII, then you by law must be able to produce a consented attestation chain all the way back to the source.
So...basically the GDPR? Well, not quite, since the GDPR doesn't require consent attestation, "merely" a legal basis. Of which consent is just one (the most useless one to use as a company).
What should be targeted is the product of said breaches. Something like the blood diamond approach.
If your company has PII, then you by law must be able to produce a consented attestation chain all the way back to the source.
If you do not, then you're charged a fine for every piece of unattested PII on every individual.