“One man’s meat is another man’s poison”, so the saying goes – and it could be applied to privacy. A growing appetite for privacy protection among consumers across the globe is evidenced by the fact that more than 60 jurisdictions have either implemented or proposed privacy and data protection laws.
But the approach taken by individual countries has much scope for variation – and nowhere is this more visible than between the European and US.
While Europe positions privacy as a fundamental human right, the US has historically seen privacy as a matter of consumer protection. While the GDPR is a comprehensive and consistent mechanism to protect the rights of all EU citizens, the US applies its privacy legislation on a sectoral and state-by-state basis.
The absence of a comprehensive US federal privacy law has been the subject of much discussion in recent years, and has led to the impression among some that US privacy is less of a fundamental concern than in Europe.
“The US has never really been on the forefront, if you will, for, for data privacy and protection. I think a lot of that stems come from our capitalistic approach to pretty much everything, including personal data,” says Ross Parker, Head of Privacy Operations and Global Strategy for S&P Global Inc.
“For the longest time, American citizens have benefited from… I wouldn’t say a lack of privacy, but we’ve always benefited from giving our information to companies: What’s the harm? I don’t think anybody ever saw it.”
Nevertheless, there is an abundance of privacy and data security legislation in the US.
Under the Federal Trade Commission Act, the Federal Trade Commission (FTC) is empowered to protect consumers against unfair or deceptive practices, including privacy notices and security of personal information. But federal legislation protects privacy in a breadth of areas, such as financial services (for example, the Gramm Leach Bliley Act or the Fair Credit Reporting Act/Fair and Accurate Credit Transactions Act), healthcare (the Health Information Portability and Accountability Act [HIPAA]), telecoms (the Telephone Consumer Protection Act [TCPA]), education (the Family Educational Rights and Privacy Act [FERPA]). Other areas covered include personal information in areas as diverse as surveillance, motoring, children, and consumption of audio-visual products.
At a state level, a number of of laws govern elements of privacy ranging from surveillance, biometric data, TV viewing habits to education records to name a few, as well as data breach notification requirements. States particularly active in data protection and privacy include Massachusetts, New York, Illinois and California.
The latter has been in the driving seat recently with its 2018 California Consumer Protection Act (CCPA), requiring businesses to disclose personal information collected on consumers and, crucially, creating the right for data subjects to access and request deletion of personal information, as well as opt out of having data sold on.
“Because it’s obviously California, one of the largest states, it’s the home of many businesses and it affects many businesses who have a geographic reach into that state. it’s really shaping how many companies in the US are responding to data protection,” says Daniel Castro, Director of the Center for Data Innovation.
Back to the national picture, and Castro challenges the notion that the US lags behind Europe when it comes to privacy protections. “We’ve been taking the sectoral approach, and that wasn’t necessarily seen as a bad thing until people started saying that was a bad thing. The US is doing a lot on privacy… I think it’s just a different approach. And now that approach has come under more critique,” he says.
Aaron Simpson, a partner at Hunton Andrews Kurth, cites the US focus on both privacy notices and, particularly, data protection contracting.
He says: “With the litigation system in the United States being as robust as it is, negotiating agreements with service providers in the privacy space has been very, very sophisticated in the United States for more than 15 years, and that’s primarily to manage risk associated with data security. The US is a decade or more ahead of Europe when it comes to privacy and data security contracting and the sophistication of the parties, particularly when it comes to liability issues. Most of this difference results from the differing legal constructs.”
Despite failed attempts to introduce a comprehensive federal privacy law stretching back many years, focus has again shifted to the federal plane, this time triggered by the Cambridge Analytica scandal.
Support for a federal law comes from all corners. The complexity of compliance with multiple regimes can be visible at an individual consumer level – something as simple as setting up a television can reveal multiple options dependent on geographical location. But for companies, the issues are writ large, and the practical challenges of complying with a multiverse of laws that vary along state and sectoral lines has largely united the business community behind the consistency and predictability that a uniform federal approach would bring. Even without legislation, many organisations have been compelled to act.
“It’s a tough landscape to navigate because you’re looking at potentially 50 different privacy laws. At what point do you take that sectoral approach or what point do you just switch it off and say, You know what – everybody is getting benchmarked to the highest level,” says Parker at S&P Global.
Privacy is popular with US consumers, 90% of whom feel that government has a responsibility for protecting their data. With consumer opinion shifting in response to high-profile data breaches, and so many different privacy parameters in place across Europe, APAC, South and even North America, Parker believes that companies have additional motivation to support a federal approach.
“You see the tide shifting and a lot of companies just want to get ahead of it. You want to be on the forefront. You want to help drive the train. You want to make sure that you’re able to help shape whatever might come down at the federal level.”
Erinn Martin is Policy Counsel for the Public Policy Project at the Lawyers’ Committee for Civil Rights Under Law, an organisation that views privacy through a civil liberties lens, and which also supports a federal law.
“Each state has their own political climate – like California, for example, might pass what we would refer to as a more progressive measure in terms of trying to protect more people, but that might not be something that would get enacted in Mississippi or in Texas, and it’s not fair for people to have different rights based on where they live,” says Martin.
So why has a federal privacy law not been passed? Despite a febrile political environment and next week’s presidential election, the perceived need for federal privacy is, perhaps surprisingly, not partisan. But it is political.
Both Democrats and Republicans have made proposals for a federal privacy law – such as the 2019 Consumer Online Privacy Rights Act, sponsored by a Democrat Senator, or the September 2020 SAFE DATA Act, sponsored by a Republican Senator – as well as a bipartisan working group in the Senate Commerce Committee that spent more than a year on the issue. All have so far met without success.
“It’s not that there’s resistance to a privacy law. It’s just that the devil’s in the details and there’s resistance to certain key components” Aaron Simpson, partner, Hunter Andrews Kurth
“There are some areas of agreement between the Democratic proposals and the Republican proposals. The areas of agreement would be around some sort of data subject rights, some sort of obligations regarding transparency, some data security obligations and then increased enforcement authority for the Federal Trade Commission and the state attorneys general,” Simpson explains.
“But there are some areas of very strong disagreement, and the very strong disagreement has to do with federal pre-emption and private right of action.”
According to Simpson, Democrats generally oppose federal pre-emption – the displacement of state law by federal law – on the grounds that a more business-friendly federal approach might water down more comprehensive state-based approaches favoured by Democrats. In addition, private rights of action, generally favoured by the Democrats, would mean the ability for individuals to bring lawsuits for alleged violations of the law, which is generally opposed by Republicans.
“It’s not that there’s resistance to a privacy law. It’s just that the devil’s in the details and there’s resistance to certain key components,” he says.
With the election so close and the possibility of a new administration, the incentives have not been aligned for bipartisan compromise, at least this year.
“But, right now, I think the Democrats are bullish on their opportunities in November. So I think they’re taking kind of a wait-and-see approach,” says Simpson.
For the nonpartisan Lawyers’ Committee for Civil Rights Under Law, private right of action is a key plank of a privacy bill. “That’s something we definitely would support just because for all civil rights we believe that people should have the private right of action allowing them to actually vindicate their rights and sue in court if there is a violation,” Martin explains.
For privacy professionals, a lack of federal pre-emption could increase the complexity of the legal landscape as companies would need to comply with both federal and state laws. A private right of action could create the potential for significant litigation.
For many, the pandemic has been a catalyst for reignited speculation over federal privacy, while others are inclined to accept technology and processes that make them feel safe.
And mimicking the wider federal privacy landscape, the arrival of the Covid-19 pandemic revealed the same issues in microcosm as US politicians sought to bring COVID-specific data protection legislation.
At the end of April, four Senate Republicans sponsored the COVID-19 Consumer Data Protection Act, requiring consent to collect, process of transfer personal health, geolocation or proximity data to track the spread of the virus. It contained a state pre-emption clause.
Just under a fortnight later, Democrats introduced the Public Health Emergency Privacy Act, also requiring consent from subjects before collecting, processing or transferring data to track the virus. Although other differences were contained in the bill, crucially, the Democrat bill did not feature state pre-emption and also provided for private right of action.
“It was almost like both parties were trying to sneak in a quick win on pre-emption and private right of action in a discrete privacy bill as a way of planting a flag on the broader privacy law that is to come. But neither were successful,” says Simpson.
There is a question mark over the influence that the proliferation of international regimes may be having over the US debate. As data protection legislation emerges in other parts of the world, such as Asia, GDPR may not necessarily be the only model to follow. But it is, of course, on everyone’s lips.
“You think about companies, especially those that are based in the US and have primarily US customers but might have a small footprint abroad, it really has drastically changed the way that they’ve had to function. And it was a hard uplift from an enterprise standpoint, to have people understand it’s not just one hurdle, data privacy is not something you jump over and keep running, GDPR isn’t you do the one time implementation and you’re done,” says Parker at S&P Global.
“Even as you were putting all the pieces together, it just felt like an insurmountable obstacle,” he says.
But now that the GDPR dust has settled, Parker believes that many businesses have come to understand the purpose of the Regulation.
“Almost two and a half years later now, we are sitting in a place of further understanding, I think our businesses are all thriving still, something that some people thought wouldn’t happen… I looked at GDPR really as somebody just finally dropped the stone in the lake, if you will, and here come the ripples.”
But acceptance of international regulation doesn’t necessarily translate into a clamour for the same approach in the US.
“In a way, the GDPR approach is alluring in that it is one law that applies to every company in the EU, and here are these principles and here are the things that you need to do. You can copy and paste this into your law, which is not really something that can be done with the US approach to privacy regulation,” says Simpson.
The pressure it has exerted is particularly visible in California, in particular in Proposition 24, a ballot initiative coming up on November 3 which seeks to extend state privacy rights and deliberately tracks GDPR-like protections. The GDPR has to some extent normalised the notion that consumers should have rights and control over their data.
But, says Simpson: “It would be very difficult in our legal construct in the United States to cut and paste a law like GDPR and just put it into law in the United States. Our legal system, for better or for worse, is too complex and the federalist structure makes it very difficult, as well as the Constitution, to just plot a federal law that is principles-based in a way the GDPR is, into existence.”
And Castro is sceptical about the efficacy of GDPR as a panacea for all privacy issues.
“The point of GDPR, in many ways, is a couple of things. One was to have an EU-wide directive, so they have the different member states with their own privacy laws. And it looks like it’s gotten much closer to achieving this goal. But the other point was to actually address the concerns people had around trust in the digital economy. It seems like it hasn’t really worked there.”
The impact of Schrems II – the decision by the Court of Justice of the European Union (CJEU) to strike down the Privacy Shield which had allowed data transfers between the EU and the US – on the progress of federal privacy legislation is debatable, However, a comprehensive federal law has been suggested by some as a possible sweetener for future adequacy with the European Commission. But there is no doubt that the ruling has sent shockwaves through the US.
“That is going to be one of the largest drivers that we have in the next five years for change in the US, and it’s just because businesses now are going to push extra hard on the government to make changes, because now they’re affecting the bottom line,” says Parker.
S&P Global updated contracts and data protection appendices to comply with GDPR, and plans to negotiate Standard Contractual Clauses where necessary with some of its largest vendors and clients. But Parker acknowledges this may not have been possible for all companies, and data localisation is something that many should prepare for.
“If we go through and we copy Europe’s privacy regulations, and we spend all this money on it, and we still don’t have adequacy, what is the point of this whole exercise?” Daniel Castro, Director, Centre for Data Innovation
At Hunton Andrews Kurth, Simpson’s client base is largely American businesses operating in Europe. He says: “For them, the decision is very, very significant. They need to move into Standard Contractual Clauses yesterday, but they can’t just move into Standard Contractual Clauses – the decision stands for the idea that you need to ensure, as has always been the case but there’s now special emphasis on it, that the parties to the contract can actually live up to the provisions in the contract.
“We are advising our clients on the European side to conduct what we call a transfer risk assessment of the data importer in the United States, and if there are questions about that then they need to build additional safeguards that supplement the Standard Contractual Clauses – which we have been working basically night and day with all of our clients on now for a couple of months.”
No matter what data protection processes are put in place on the commercial side, whether voluntarily or compelled by legislation, European concerns over potential US government collection of data, which propelled the Schrems II ruling, may not necessarily be addressed by federal privacy law.
Says Castro: “In theory, that should be momentum. But I think because of the way it’s played out in terms of the two Schrems decisions, it’s actually almost undercut the momentum for it, because the question would be: so if we go through and we copy Europe’s privacy regulations, and we spend all this money on it, and we still don’t have adequacy, what is the point of this whole exercise?”
But the business community will still play a role in determining the climate in which negotiations between the US and EU take place – by throwing its support behind a strong negotiation that could take time to resolve, or pushing for a quicker fix.
Is a federal bill likely?
In short: yes. With support from both sides of the political spectrum, the business community and the general public, comprehensive national privacy legislation is likely in the medium term. And while the candidates in next week’s presidential election may not be campaigning on privacy as a core issue, the outcome of the ballot will undoubtedly influence how the law ultimately shapes up. The pivotal issue is whether the election result is decisive enough to deliver either a Republican- or a Democrat-style style law.
“I think if there’s any sort of split among the Houses of Congress or the White House, we’re not likely to see anything. But if it’s controlled by one party then I do think we would see something,” says Martin.
With or without a federal US privacy law, the global privacy trend is towards regulation, making compliance for privacy professionals engaged in cross-border data transfers or managing business global operations an ever-evolving process. Simpson believes that, ultimately, a solution for many businesses might not even lie in legislation.
“You have this cacophony of requirements globally and domestically that make compliance very, very challenging and so another area to watch are emerging voluntary frameworks that help companies think about their data holistically and implement a global, principles-based programme that gets them 80% of the way towards compliance with any privacy law, which then allows them to focus their efforts in a bespoke manner on the remaining 20%.”