Illinois was also early to regulate biometric data collection, passing the Biometric Information Privacy Act in 2008.

For example, we know one of the ways to make people care about negative externalities is to make them pay for it; that’s why carbon pricing is one of the most efficient ways of reducing emissions. There’s no reason why we couldn’t enact a data tax of some kind. We can also take a cautionary tale from pricing externalities, because you have to have the will to enforce it. Western Canada is littered with tens of thousands of orphan wells that oil production companies said they would clean up and haven’t, and now the Canadian government is chipping in billions of dollars to do it for them. This means we must build in enforcement mechanisms at the same time that we’re designing principles for data governance, otherwise it’s little more than ethics-washing.

Similarly, technology can help us control the climate, make AI safe, and improve privacy.

To join the Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, the GDPR goes far beyond it.

Co-regulation encompasses initiatives in which government and industry share responsibility for drafting and en-forcing regulatory standards

policy makers and scholars should explore an alternative approach known as “co-regulation.