How Should the United States Protect Data?

Does the United States need a federal data privacy policy? If so, what would one even look like?

The U.S. Congress has debated these questions for decades, but data issues have gained new prominence in recent years as the European Union and several U.S. states continue to pass privacy legislation. Data privacy legislation addresses collecting, storing, and transferring personal information. These regulations may also give individuals some rights to limit the use of their data.

As recently as February 2020, Congress appeared to be nearing an agreement on a federal data privacy policy.

Two major bills—one proposed by a Republican senator and one proposed by a Democratic senator—had “more similarities than differences” as the two parties debated the issues. According to experts, the two bills “showed promising agreement on significant issues, including data minimization, individual privacy rights, transparency, and discriminatory uses of personal data.”

The bills diverged, however, on the issues of superseding state privacy laws with a federal statute and providing individuals with a right to sue for violations of the law. As Democrats and Republicans refocused their efforts on crafting proposals for COVID-19 contact-tracing privacy protections, the same divisions reemerged.

In the absence of a uniform federal policy, several U.S. states have passed their own data privacy laws. The California Consumer Privacy Act (CCPA) allows individuals to opt out of data collection and grants people the ability to request that businesses delete some stored information.

Following California’s lead, Virginia recently became the second state to pass a data privacy policy. The Consumer Data Protection Act mirrors many of the rights afforded by the CCPA.

Although the United States lacks a uniform federal data privacy policy, consumers still have some protections under federal law. Federal statutes protect certain types of personal information. The Health Insurance Portability and Accountability Act (HIPAA) protects personal health information, and the Family Educational Rights and Privacy Act (FERPA) protects student education records.

U.S. businesses that operate abroad may also be subject to foreign data privacy rules, including the European Union’s General Data Protection Regulation (GDPR). Passed in 2016, the GDPR has become a model for several other countries as they craft their own data privacy legislation.

This week’s Saturday Seminar examines proposals for what a federal data privacy policy could include and how Congress should craft such a law and regulatory framework.

• Congress should implement a single “baseline data-protection law” to address personal data governance issues, Nuala O’Connor of the Center for Democracy and Technology argues in a Council on Foreign Relations report. She contends that a foundational data protection framework could allow companies to comply better with data protection regulations and resolve conflicts between incompatible state and federal policies. According to O’Connor, an effective baseline data protection framework would target all institutions that use personal information, address inconsistencies and gaps in current regulations, include incentives that encourage companies to prevent data breaches, and offer remedies for consumers facing privacy harms.
• Privacy law and policy will fail without more consideration for the implementation of regulations, David A. Hyman of Georgetown University Law Center and William E. Kovacic of George Washington University Law School claim. In a Fordham Intellectual Property, Media and Entertainment Law Journal article, they suggest two solutions to establish a clear line of authority for implementing federal privacy regulations. First, Hyman and Kovacic argue that the Federal Trade Commission should have enhanced enforcement authority and the ability to spearhead federal privacy regulations while working with other agencies, such as the U.S. Department of Justice and the U.S. Department of Commerce. Alternatively, Hyman and Kovacic propose creating a new agency that would serve as a “national privacy regulator” and assume the privacy-related issues of existing federal agencies.
• In a recent report, the Brookings Institution’s Cameron F. Kerry, John B. Morris, Jr, Caitlin T. Chin, and Nicol E. Turner Lee offer several key recommendations for a comprehensive federal privacy law. First, Kerry and his coauthors argue that the federal law should preempt, or supersede, inconsistent state privacy laws. Second, federal law should lower the threshold for seeking legal remedies when individuals experience privacy violations. Third, Kerry and his team recommend “narrowing the definition of ‘sensitive data’” that companies cannot collect without express consent. Finally, the authors emphasize protecting individuals’ rights “to request access, correction, deletion, and portability of personal information.”
• The Charles Koch Institute’s Neil Chilson argues in a Pepperdine Law Review article that federal privacy law should focus on “case-by-case enforcement frameworks where company practices are judged based on consumer outcome,” rather than on “detailed legislation and prescriptive mandatory privacy practices.” Restrictive regulation that requires government permission to innovate will narrow companies’ options, harming consumers, Chilson warns. Instead, he proposes a broad “permissionless approach” with the government regulating only the privacy outcomes and resolving issues on a case-by-case basis. This case-by-case approach can adequately remedy consumer injuries without restricting beneficial information flow, according to Chilson.
• U.S. lawmakers should embrace a theory of privacy “based upon constraining corporate power and protecting vulnerable consumers,” according to Northeastern University’s Woodrow Hartzog and Washington University’s Neil Richards. In a Boston College Law Review article, Hartzog and Richards argue against an omnibus federal statute to manage data privacy and instead advocate a layered approach that captures several overlapping areas. They claim that lawmakers should further limit data collection and weigh adding rigid data-deletion requirements. In addition, Hartzog and Richards argue in favor of using corporate law as a regulatory tool, which could ensure liability for executives committing privacy violations and create statutory protections for whistleblowers.
• Any federal data privacy legislation must consider the privacy needs of all people in the United States, “not just elites and industry,” the University of Baltimore School of Law’s Michele E. Gilman claims in an Arizona State Law Journal article. Gilman advocates the European Union’s GDPR as a model for “how to shore up privacy for our most vulnerable communities” and notes that Congress could adopt similar provisions to advance economic justice. For example, the GDPR includes a “right to be forgotten,” which allows individuals to demand that their personal data be deleted if collected. A version of this right in the United States could also address issues around criminal records, which disproportionately impact people of color and may remain on public databases even after expungement, according to Gilman.