by Carl Schonander

Why it’s time for a strong federal privacy law

Sep 20, 2019

A federal privacy statute can harmonize privacy law, leave room for states to regulate/enforce and enable American global tech policy leadership.

In the late 19th century, Samuel Warren and Louis Brandeis published the “Right to Privacy,” articulating for the first time in the United States a privacy right, defining it as the “right to be let alone.”

Over the next nearly 130 years, US law on privacy continued to develop through common law torts, constitutional interpretation, the implementation of the Fair Information Practice Principles and the development of federal and state sectoral privacy law. Despite being a global leader on privacy, however, the US never developed a comprehensive federal privacy law to regulate the commercial use of information, or data; instead enacting laws to protect particularly sensitive personal data privacy, such as financial, health and children’s information.

The rest of the world, in contrast, began regulating information privacy as a comprehensive national concern. This national-level comprehensive approach corresponded with the enormous growth of the global digital economy, spearheaded by the commercial Internet and unprecedented global connectivity. Suddenly, data, which lacks any intrinsic value, became valuable based on how it could be processed to generate value. Now, data is integral to our national economy, the global economy and trade.

A recently released issue brief from the Software Information & Industry Association (SIIA) titled “Preemption and Privacy: Primer on Legal and Policy Considerations” makes this point and then discusses two legislative proposals for how to structure a preemption provision in a much needed strong federal privacy law.

Preemption needed for consumers, industry and for American global leadership

The regulation of personal data is a matter of national and global economic concern due to unprecedented global connectivity, the value of cross-border data flows and its implications for digital trade. A federal privacy law will have national economic impact because federal privacy legislation will regulate beyond tech, impacting traditional businesses and small- and medium-sized enterprises (SMEs).

Data has an incontrovertible impact on the national economy, which is why Congress should counteract potential harms to SMEs and the global economy and our national economy by enacting a harmonized data privacy standard for the benefit of our economy, consumers and innovation. Finally, preemption is needed to ensure that the United States can exercise leadership in international privacy, digital trade and technology policy discussions.

Targeted preemption still allows states flexibility

The preemption doctrine is generally used to provide uniform rules for areas of national (and international) import, and it is critical that policymakers consider preemption when drafting legislation, even if they do not concede their support for preemption until a bill is ready for vote. A well-crafted preemption provision can ensure that the federal privacy law provides equal protections for all consumers, irrespective of their state of residence, while leaving intact state laws which regulate personal data (directly or indirectly) that have a uniquely local concern and execute the state police powers.

So legislators should identify the types of state laws a federal privacy law should exclude from preemption (including consumer protection laws except to the extent they are enforced to regulate personal data; criminal laws; laws relating to wiretapping, the protection of Social Security numbers, identity protection, or student privacy; and state constitution, contract and tort laws) and the expectation that any preemption provision will retain the federal sectoral model, including some state laws that are permitted by the savings and preemption clauses of those federal sectoral laws.

These sectoral laws are the Health Insurance Portability and Accountability Act, (HIPPA), the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLB) Act. Moreover, there are unique concerns that children’s and students’ privacy present, with the Children’s Online Privacy Protection Act’s (COPPA) express preemption provision and the uniquely local concerns surrounding student privacy.

Proposals for how to make preemption work leave states with flexibility

There are two legislative proposals on preemption worth considering: the Information Transparency & Personal Data Control Act (H.R. 2013) and the Intel Privacy Bill. These proposals, along with research recently released by the Congressional Research Service, leave significant room for state regulation while harmonizing information privacy generally. Congress could  further clarify the provisions to ensure the law:

  1. Excludes from preemption all state and local consumer protection laws (except to the extent they regulate personal data collection and processing)
  2. Unambiguously saves state constitutional, trespass, contract, or tort law except to the degree the law is enforced to govern personal data collection and processing
  3. Protects state laws banning revenge pornography (unless the federal privacy law includes a provision regulating this at the federal level)

Congress could further consider inserting an expanded savings clause to clarify its intent that the federal privacy law does not supersede the federal sectoral privacy laws, as well as other privacy laws relating to how public entities (such as government agencies) collect and process personal data.

It’s complicated…

As with so much in the privacy debate, preemption is complicated. And while preemption would give the federal government the lead, it does not mean that states would not continue to be important players. They will continue to be able to legislate in areas particular to their jurisdictions and current federal sectoral laws. Moreover, there is a growing consensus that state Attorneys-General will, together with FTC, enforce a federal privacy law, which would open up a new area of significant state action in the privacy space.