One day before the midterm elections, and we’re fully into the silly season of data-related legislation in the United States, with prospective members of Congress setting forth their approach to managing privacy and security with a variety of proposals that are….let’s call them “interesting.”  I say “interesting” because it’s intriguing to see that candidates treat privacy as an issue worth discussing on the campaign trail, but also because it would take an interesting turn of events for these laws to be enacted.  Like a fundamental change to the way computers work, or the development of a massive cold front in certain warm climates.

For instance, Senator Ron Wyden of Oregon has proposed a bill that makes GDPR look like child’s play: it imposes the same kind of fines (4% of global turnover) but also permits the imprisonment of CEOs that lie about the safety of data.  For twenty years.  Now, given that not a single CEO has ever gone to jail for anything that took place during the Great Recession and all of the financial hijinks that went on, I think we can safely assume that this bill isn’t going anywhere, but, wow.

In addition to the surprises in the Wyden bill, there are definitional issues.  “Automated decision system” is set out as “a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.”  But by that definition, your kid’s calculator used to figure out a discount on a glass of lemonade is an automated decision system, because it contains a computational process that facilitates human decision making that impacts consumers.

I’m obviously oversimplifying here, and I’m not picking on Senator Wyden – his is actually the best and most serious bill I’ve seen so far, which really tells you something.  At least he’s trying.  Most of the rest of the legislators who talk about privacy either conflate business security and consumer protection or think that all problems will be solved by breaking the FAMGA (Facebook Apple Microsoft Google Amazon) quintet into smaller companies.  It’s not necessarily that I think the politicians proposing these are cynically attempting to convince voters that they understand data security and privacy, I think these politicians are trying to convince themselves that they understand data security and privacy.

And that’s where we get into trouble, and what I call the “Brunhilde Effect.”

Brunhilde is a main character from Wagner’s Ring of the Nibelungen, the cycle of four operas, and it is a role that is notoriously difficult to play (and not just because the operas take about seventeen hours).  There’s some debate about who played her best in the last century, but you could boil it down to two candidates – Birgit Nilsson or Gwyneth Jones.  The former is arguably the greatest soprano of all time, and the latter played the role with such force that she simply was Brunhilde.  There are people who argue vehemently on both sides of this debate.

You know who Brunhilde is, even if you don’t.  If you recall Bugs Bunny cartoons, there was a time when the creator, Mel Blanc, relied extensively on classical music to provide background and themes.  It’s how many Americans know The Barber of Seville or Strauss’s most famous waltzes.  The best operatic reference, though, is 1957’s “What’s Opera, Doc?” which is so famous, and so beloved, it’s in the Library of Congress and is considered the greatest cartoon of all time.  You know it as “Kill the Wabbit,” and when Bugs dresses as a princess with the winged helmet – that’s Brunhilde.

Coming back to the main point, there are people with deep knowledge of data security and privacy in this country (like the privacy professionals at IAPP) who have the kind of experience and insight to have a “Nilsson v. Jones” level debate about what a data security law in this country should look like.  But the people who actually write the laws have, at best, a “Kill the Wabbit” level of understanding of data security and privacy.

That disconnect creates a serious problem.  How do we ensure that legislation reflects a thoughtful consideration of the primary issues when laws — even large, complex ones like the ACA or this year’s tax bill — are routinely thrown together at the last minute without everyone understanding, or even reading, them?  The crisis is magnified by Congress’s so-terrible-its-funny-but-not-really ineptitude when it comes to matters of technology — a problem perhaps traceable to the decision to eliminate the advisory board that educated members about technology just when the Internet was starting.  They’re getting help from some outstanding groups like TechCongress, but meaningful improvements are going to be a long time coming.

What can we do?  If nothing else, there needs to be a conversation that sets the framework for American data protection legislation.  The FTC’s series of hearings on privacy is a good start, but it is only a start.  We could begin, for instance, with an agreed taxonomy for privacy and data security, so that we do not find ourselves continually arguing over the meaning of “personal data,” “automated decision system,” or “breach.”  We need to discuss what kind of rights consumers should have — will it be only access, deletion, and restriction, or should we include mobility and the “right to be forgotten” too?  We also need to decide what kind of role federal legislation will play – will it set a baseline for security, or will Congress “occupy the field,” (as the tech giants seem to prefer) and preempt the states from legislating on the topic?

These are issues that need to be discussed, and by a wide variety of interested parties — legislators, yes, but also lawyers, privacy professionals, technologists, entrepreneurs, and the like.  The goal is not to make everyone in Congress a data privacy expert, but to develop a consensus on the basic principles.  If we can establish a framework built on that consensus, we have a much better chance of giving businesses the clarity they need while giving data subjects the protections they want and deserve.