The Argument for a National US Data Privacy Framework
Against the backdrop of escalating cybercrime and data breaches throughout 2020 and 2021, state legislators in over 29 US states have thrown the spotlight on data privacy this year, putting it high on the agenda in legislative sessions.
Among other things, the rights of consumers to opt out of data collection on websites, providing watertight protection and privacy for children online, and the monitoring of employee emails have all been closely scrutinized.
Perhaps most crucially, legislators have taken a closer look at the role and responsibility of commercial and governmental entities in ensuring data protection, as well as the need for companies to make clear what data is collected, what will be done with it, and for how long it will be kept.
Ultimately, only Virginia and Colorado have signed data privacy bills into law this year, which came into effect on March 2, 2021, and July 7, 2021, respectively. This makes them the second and third states after California to enact such laws. However, other states have seen their data privacy bills fail to pass.
Without these in place, even the likes of Virginia, Colorado, and California will fail to adequately protect consumer data privacy because of two critical factors: the internet is not contained within a single state’s boundaries, so any laws would fail to meet cross-state federal regulations and compliance and, importantly, participants operating online can only be regulated by the federal government under the Commerce Clause, Article I, Section 8 of the Constitution.
Consumer privacy legislation is a critical foundation in protecting the rights of consumers and ensuring their safety and privacy online. Where currently there has been no US national legislation that ties the responsibility for this to any commercial or governmental entity – and given the increasing magnitude of data breaches and digital stewardship failures – the importance of addressing this has now become paramount.
Today, we are living in an environment of escalating cybercrime, with a record-breaking number of data breaches of increasing sophistication and severity taking place year-on-year. So it comes as no surprise that consumer confidence in the promise of data security is at an all-time low and that the majority of Americans now believe that they have lost total control of their data.
A Patchwork of Existing Protection
So, furthering this patchwork of state privacy laws will only serve to create more confusion and instability for both business and customers. For example, these laws do not provide for inter-state commerce, so will impinge on any business operating in or selling to customers across multiple states.
In the absence of a consistent national privacy protection regime, more states will enact their own local rules, which will raise costs and complicate compliance even further – with a myriad of enforcement regimes for businesses and individuals alike.
Much of the western world has adopted comprehensive legal protections for personal data. But the United States continues to struggle with this, with sector-specific laws and regulations that fail to adequately protect consumer data and only serve to deliver complicated and often contradictory requirements for business and consumers.
A good example of this is the Health Insurance Portability and Accountability Act (HIPAA) – the United States’ primary health privacy and security law that only applies to “covered entities” holding “protected health information”. The system is so complicated that most Americans have no grasp of when their health information is protected by the law or what security standards apply to their individual case.
Additionally, separate privacy laws govern specific areas of the U.S. healthcare system, with student immunizations and other school health records generally covered by the Family Educational Rights and Privacy Act (FERPA), which in turn intersects with and sometimes conflicts with the Children’s Online Privacy Protection Act (COPPA), which protects data but only of children under the age of 13.
State laws only add to this confusing patchwork, particularly with respect to data breaches, where it is recognized that widespread collection of personal information puts people’s privacy and security at risk. Although federal laws exist that require individuals to be notified if their information is compromised, the types of personal information that warrant protection, which entities are covered, and even what constitutes a breach, varies state-to-state.
Even the most sophisticated of organizations will eventually experience a breach thanks to the persistent threat of cyber criminals, insider threat, or commercial intrusion, and the damages that can result from the collection and misuse of data are constantly evolving and worsening. The time is therefore right to readdress introducing federal legislation and the creation of a national data breach notification standard, which will ensure individuals are aware of when a data breach that includes their personal data has taken place.
Moving Towards a Unified National Framework for Data Protection
While the US legal framework has typically relied on individual states to introduce their own flavors of data privacy legislation, the EU’s General Data Protection Regulation (GDPR) has led the global dialogue on data protection and set an international standard for the protection of all personal data, regardless of who collects it, or how it is processed. Progressive digital economies like Canada, Israel, and Japan are starting to align with this, which could arguably put US companies at a global disadvantage.
To bring the United States in line with these emerging data-protection norms, Congress should now initiate one single, comprehensive framework to cover all institutions – one that overrides and resolves differing federal laws and regulations, rights and responsibilities, and ensures that all companies become ethical stewards of data for the better protection of all US citizens.
It is now time for state legislators to encourage this and to work together with Congress to deliver an overarching, progressive solution that reflects the importance of an individual’s right to privacy and organizations’ duty to protect it.