When Europe’s General Data Protection Regulation went into effect in May this year, the world hailed it as landmark privacy legislation. But, in many ways, it was a missed opportunity to provide real data protections, and instead imposes unworkable and intrusive choices on consumers and a blizzard of compliance burdens for business.
California’s hastily drafted privacy law also relies the same limited notion of individual control instead of focusing on genuine privacy protections. The legislature will consider technical amendments this month and further changes before the law goes into effect in 2020, but the chances of a major new approach are slim.
These developments have put privacy on the national agenda. It makes sense to work toward a better U.S. privacy framework that would replace conflicting and less protective state laws.
The guiding principle should be to do no harm.
Focusing privacy protection on the prevention of consumer harm should be at the heart of new privacy legislation. The Federal Trade Commission already does this in its current privacy and security enforcement activities, acting against conduct that is so dangerous to consumers that it is unfair or deceptive under Section 5 of their enabling statute.
A new national law should cover the same topics addressed in the California law such as notice, consent, access, data minimization, portability and deletion. But it should require the FTC to interpret, implement and enforce these measures guided by the overarching principle of preventing substantial consumer injury. This approach would provide substantive protection for consumers, instead of just a welter of annoying choices.
The law should not disturb the decades of interpretation and precedent under existing privacy laws that cover medical, financial, and educational records and are enforced by other agencies. It should create uniform rules for entities and activities not already covered under these statutes. For instance, it should provide the same rules for both broadband service companies and edge providers.
Internationally, an emphasis on controlling informational injury could be the U.S. contribution to the on-going global discussion on how best to provide data protection. Many other countries including Brazil and China are imitating the European approach with its overemphasis on individual control largely because they see no credible alternative.
A new privacy law will have to be carefully written to avoid constitutional problems.
Legal scholars have long known that privacy protections intrinsically affect speech. As Eugene Volokh put it, privacy is a right to stop people from speaking about you. And in Sorrell v. IMS, the Supreme Court made it crystal clear that “the creation and dissemination of information are speech for First Amendment purposes.” The court struck down a Vermont law regulating prescription information because it was not drawn to directly advance the state’s claimed interest in privacy, or any other substantial government interest.
The constraints on the use of public records in the data broker law recently passed in Vermont and comparable restrictions in the new California privacy law suffer from similar constitutional infirmities.
Going forward, this established legal ruling that data is speech means that any new national privacy legislation will have to be carefully written to pass heightened First Amendment scrutiny. Focusing the new law on narrowly crafted measures to prevent consumer informational injuries could help it pass constitutional muster.
The time to think about these privacy issues is now
The Administration is examining privacy principles and hopes to release a notice asking for public comment sometime in September. Now is the time for the privacy community including industry groups, privacy advocates and scholars, civil liberties groups, and consumer protection groups to participate in crafting a new national approach to privacy protection.