It’s time for a uniform national privacy law

When Europe’s General Data Protection Regulation went into effect in May this year, the world hailed it as landmark privacy legislation. But, in many ways, it was a missed opportunity to provide real data protections, and instead imposes unworkable and intrusive choices on consumers and a blizzard of compliance burdens for business.

California’s hastily drafted privacy law also relies the same limited notion of individual control instead of focusing on genuine privacy protections. The legislature will consider technical amendments this month and further changes before the law goes into effect in 2020, but the chances of a major new approach are slim.

These developments have put privacy on the national agenda.  It makes sense to work toward a better U.S. privacy framework that would replace conflicting and less protective state laws.

The guiding principle should be to do no harm.

Creating a broad individual right to control personal information is the key protection in both the European approach and the California privacy law. But this is the wrong emphasis.  Of course, individual control is an element in data protection, but giving it primary importance confuses means and ends.  The real goal of privacy policy should be to prevent injury to people that arises from the collection and use of their information. Control is only one way to achieve this, and is, as many privacy scholars such as Woody Hartzog have pointed out, not always an effective tool for this purpose.  Effective privacy laws such as the Fair Credit Reporting Act use other tools such as access and correction and notices of adverse action instead of individual control.

Focusing privacy protection on the prevention of consumer harm should be at the heart of new privacy legislation.  The Federal Trade Commission already does this in its current privacy and security enforcement activities, acting against conduct that is so dangerous to consumers that it is unfair or deceptive under Section 5 of their enabling statute.

A new national law should cover the same topics addressed in the California law such as notice, consent, access, data minimization, portability and deletion.  But it should require the FTC to interpret, implement and enforce these measures guided by the overarching principle of preventing substantial consumer injury.  This approach would provide substantive protection for consumers, instead of just a welter of annoying choices.

The law should not disturb the decades of interpretation and precedent under existing privacy laws that cover medical, financial, and educational records and are enforced by other agencies.  It should create uniform rules for entities and activities not already covered under these statutes.  For instance, it should provide the same rules for both broadband service companies and edge providers.

Internationally, an emphasis on controlling informational injury could be the U.S. contribution to the on-going global discussion on how best to provide data protection.  Many other countries including Brazil and China are imitating the European approach with its overemphasis on individual control largely because they see no credible alternative. 

With the passage of a new U.S. privacy framework focused on preventing informational injuries, the U.S. could regain global privacy policy leadership with a genuine alternative for other countries to follow.

A new privacy law will have to be carefully written to avoid constitutional problems.

Legal scholars have long known that privacy protections intrinsically affect speech.  As Eugene Volokh put it, privacy is a right to stop people from speaking about you.  And in Sorrell v. IMS, the Supreme Court made it crystal clear that “the creation and dissemination of information are speech for First Amendment purposes.” The court struck down a Vermont law regulating prescription information because it was not drawn to directly advance the state’s claimed interest in privacy, or any other substantial government interest.

The constraints on the use of public records in the data broker law recently passed in Vermont and comparable restrictions in the new California privacy law suffer from similar constitutional infirmities.

Going forward, this established legal ruling that data is speech means that any new national privacy legislation will have to be carefully written to pass heightened First Amendment scrutiny. Focusing the new law on narrowly crafted measures to prevent consumer informational injuries could help it pass constitutional muster.

The time to think about these privacy issues is now

The Administration is examining privacy principles and hopes to release a notice asking for public comment sometime in September.  Now is the time for the privacy community including industry groups, privacy advocates and scholars, civil liberties groups, and consumer protection groups to participate in crafting a new national approach to privacy protection.