If we had online privacy laws, we could have nice things
(Note: this is a copy of a post I made in the Open Twin Cities forum, responding to a thread about The Atlantic's recent article on Estonia's leading use of digital information and authentication assets to create a modern platform for markets and governance.)
If we could learn just one lesson from Estonia, I'd like it to be this:
This liquid movement of data between systems relies on a fundamental principle to protect people's privacy: Without question, it is always the citizen who owns his or her data and retains the right to control access to that data. For example, in the case of fully digital health records and prescriptions, people can granularly assign access rights to the general practitioners and specialized doctors of their choosing. And in scenarios where they can't legally block the state from seeing their information, as with Estonian e-policemen using real-time terminals, they at least get a record of who accessed their data and when. If an honest citizen learns that an official has been snooping on them without a valid reason, the person can file an inquiry and get the official fired.
It is difficult to get to this level of reliance on digital assets without robust legal protection and remedies for violation from private and public actors. The US has a patchwork system for regulating online privacy, with weak self-regulation in most areas, but more significant, actionable regulation in the areas on which significant markets rely on - financial and health information. U.S. online privacy regulation is guided by principles that I believe are inline with the Estonian system, but they are largely unenforceable because they are only principles, not statutes. This creates a pretty ill-defined privacy system that I believe is preventing the market from stepping in to provide the type of personal data storage infrastructure that Estonia has built. It's not for lack of interest - I believe Google/Amazon/Microsoft/>Facebook/etc… would jump into this space if the rules were defined. In fact, via the various authentication initiatives of the last few years (login via Facebook/Google+/Personas/Oauth), the private sector has already been nibbling at the edges of this problem. But, when nobody is quite sure what the rules regarding personal data privacy are right now, let alone what they will be in a year, nobody is going to put serious money into creating the digital personal information storage, authentication, and access infrastructure that Estonia has created.
In the US I think a comprehensive privacy regime would have to be created at the federal level - a combination of Congressional action and FTC rules. But, California has shown that states can apply privacy protections beyond what the federal government provides. So a question to consider might be: what additional privacy rights or protections can Minnesota extend to its citizens that would aid the creation of an economic and governance system that leverages digital infrastructure as well as Estonia?