Now that the world has survived Europe’s implementation of the General Data Protection Regulation (which became effective on May 25, 2018), and countries like Brazil and states like California and New York have passed their own data protection laws, one cannot help but wonder: Is it finally time for the United States to pass a federal data protection law of its own?
It’s tempting. Instead of a patchwork of overlapping and occasionally conflicting legislation at the international, national and state levels, we’d have a unified law. Of course, we’d still have to comply with GDPR and other international laws, but rather than following everyone else’s lead, the U.S. government could provide a coherent legislative approach that might appease everyone — consumers, the regulated community, privacy advocates and the government regulatory agencies.
The Case for a Federal Data Protection Law
With an umbrella data protection law, legal and compliance teams (and even everyday businesspeople) would not need to parse as many overlapping legal requirements to figure out what data needs to be managed, how and when it needs to be managed, whom to inform and so on.
Now, depending on your location and industry, you may have to navigate the requirements of GDPR, other countries’ data protection laws and U.S. data privacy statutes (and their accompanying regulations), such as:
- The Gramm-Leach-Bliley Act (formerly known as the Financial Modernization Act of 1999), which focuses on the financial services industry’s management of personal information
- The Health Information Portability and Accountability Act (HIPAA), which focuses on the healthcare industry and the privacy of “individually identifiable health information”
- The Federal Trade Commission Act, which generally forbids deceptive or unfair practices against consumers, such as an organization’s failing to adequately protect data or to follow its own privacy policies
- The Fair Credit Reporting Act as amended, which includes credit card security measures and identity theft detection and response requirements
- The Driver’s Privacy Protection Act of 1994, which governs the disclosure of personal information possessed by state departments of motor vehicles
At the very least, a federal data protection law would be a step toward uniformity and simplicity. States don’t all use the same standard to determine which information is protected. Some focus on social security numbers, some on personally identifiable information (PII) and some on cybersecurity risk. A federal U.S. data protection law could benefit not only organizations, but also individuals, who could enjoy a more consistent layer of protection.
Not So Fast …
Comprehensive federal legislation might seem attractive, but it isn’t passed all that often. For instance, the United States does not have a comprehensive environmental protection statute. And just think about how long it took to pass comprehensive health insurance legislation, and about the legal challenges that followed.
It may surprise some that the word “privacy” does not appear in the U.S. Constitution (rather, to summarize a long history of litigation on the subject, privacy rights “emanate” from the document), and certainly data protection is not an enumerated right in the Constitution, either. There’s no consensus on the nature of data protection rights — especially where we voluntarily provide our own data to various entities.
Most people agree that certain elements of internet usage have sometimes gone awry, but web use remains a voluntary activity. Moreover, data is useful — it makes targeted advertising effective and helps search engines produce relevant results. Some may not want to limit access to data for that reason.
A comprehensive federal data protection law would not come without costs and would add yet another layer of compliance for organizations. Issues with enforcement, lawsuits, clogged courts and more could take lots of time and slow the economy down.
Ultimately, whether or not we get a federal law, the existing international and state legislation has arguably helped organizations and individuals learn to appreciate the importance and sensitivity of data. The culture around data safety has already been transformed.