In 2021, a survey found that home loan algorithms systematically discriminate against qualified minority applicants. Unfortunately, stories of questionable for-profit data uses like this are all too common.
Meanwhile, laws often prevent nonprofits and public health agencies from using similar data. – like credit and financial data – to reduce inequalities or improve people’s well-being.
Legal data limitations have even been a factor in the fight against the coronavirus. Health and behavioral data is essential to fight the COVID-19 pandemic, but public health agencies have often been unable to access important information – including government and consumer data – to fight against the virus.
We are professors at Texas A&M University School of Public Health and Law School with expertise in health information regulation, data science, and online contracting.
US data protection laws often largely allow the use of data for profit, but are more restrictive for socially beneficial uses. We wanted to ask a simple question: Do US privacy laws really protect data the way Americans want? Using a national survey, we found that public preferences are inconsistent with restrictions imposed by U.S. privacy laws.
What do the American public think about data privacy?
When we talk about data, we generally mean information collected when people receive services or buy things in a digital society, including information about consumer health, education, and history. Basically, data protection laws address three questions: What data needs to be protected? Who can use the data? And what can be done with the data?
Our team surveyed over 500 residents of the United States to find out which uses people are most comfortable with. We presented participants with pairs of 72 different data use scenarios. For example, are you more comfortable with a company that uses education data for marketing or a government that uses economic activity data for research? In each case, we asked participants which scenario they were most comfortable with. We then compared these preferences with US law – in particular in terms of the types of data used, who uses this data and how.
Under US law, the type of data is extremely important in determining which rules apply. For example, health data is highly regulated, while purchasing data is not.
But surprisingly, we found that the type of data used by businesses or organizations was not particularly important to US residents. The purpose and use of the data was much more important.
The public was more comfortable with groups using data for public health or research purposes. The public was also comfortable with the idea of universities or nonprofits using data as opposed to businesses or governments. They were less comfortable with organizations using data for profit or law enforcement. The public was least comfortable with companies using economic data to increase profits – widespread and poorly regulated use.
Overall, our results show that the public tends to be more comfortable with altruistic uses of personal data as opposed to selfish uses of data. The law promotes more or less the opposite.
What is allowed, what is not
Ideally, data protection laws would limit the riskiest uses of data while allowing or even promoting beneficial and low-risk activities. However, this is not always true.
For example, a federal law prohibits the sharing of drug treatment records without the consent of an individual. It is, of course, beneficial in many cases to protect these sensitive files. However, during the ongoing opioid epidemic, these records could provide essential information on where and how to intervene to prevent overdose deaths. Worse, when only certain data is withheld for confidentiality reasons, the remaining data may actually lead researchers to draw the wrong conclusions.
Sometimes the laws allow the data to be used in ways that the American public finds disturbing. In most U.S. business contexts, using personal information for profit – for example, a company using personal information to predict the pregnancies of its customers – is legal if this action is covered by a company’s privacy notice.
The awareness and unease among the American public about how businesses use personal information has prompted lawmakers to explore new data regulations. Experts have argued that the status quo – a confusing patchwork of privacy laws – is inadequate, and some have argued for comprehensive privacy laws.
In the absence of federal legislation, some states have voted to put in place more comprehensive laws. California did in 2018 and 2020, Virginia and Colorado in 2021, and other states are expected to follow suit. If new laws are in effect, we believe it is vitally important that the public have a say in what uses of data should be restricted and what should be allowed.
How Can Good Data Privacy Laws Help?
Every year, hundreds of thousands of Americans die from social factors such as education, poverty, racism, and inequality, and there are protected data sets that public health officials, researchers and policy makers could use to promote the common good.
The data use case with the most public support is where researchers use education data for public health. Importantly, research shows that nearly 250,000 deaths in the United States each year can be attributed to low education. – for example, a person with less than a high school diploma – and a low level of education can contribute to poor nutrition, poor housing and a poor working environment. But federal education privacy law restricts groups’ access to public health education records or any health research. In this case, US data protection laws severely restrict the ability of researchers to understand these deaths or how to prevent them.
Data exists to better understand many other complex issues – like racism, obesity and opioid abuse – but data protection laws often hamper health authorities or researchers who wish to use them.
Our research suggests that the current legal barriers that prevent the use of data for the common good contrast starkly with the wishes of the public. As laws are revised or put in place, they could be designed to represent the wishes of the public and facilitate research and public health. Until then, US data privacy laws will continue to prioritize profit over the public good.
This article is republished from The Conversation under a Creative Commons license. Read the original article.