Five Issues To Watch For In Federal Privacy Legislation


By Saad Gul

Corporate America, retooling privacy programs following California and Europe’s enactment of comprehensive privacy standards, is looking to Congress for a federal counterpart.  The United States has traditionally had little appetite for comprehensive privacy regulation.  Instead, it has followed a sectoral approach, protecting specific sectors such as health (such as Health Insurance Portability Accountability Act or HIPAA), financial services (such as Gramm-Leach-Bliley Act or GLBA), or vulnerable populations such as minors (such as Children’s Online Privacy Protection Act or COPPA).

The new Privacy and Data Security Section is now open for member registration. Click here to join.

The latest push may be different however.  Faced with the California Consumer Privacy Act (CCPA) — itself enacted to ward off even more stringent rules — and CCPA-like privacy bills pending in other states, a comprehensive federal statute may well be on the horizon.

So what issues should privacy counsel monitor as the privacy sausage is made?  Here are five.

First, Stringency.  While privacy enjoys bipartisan support in Congress, the parameters of what members consider desirable or acceptable vary considerably.  Maintaining bipartisan consensus will require negotiating tension between widely divergent constituencies.  These difficulties will be compounded by constitutional concerns.  For instance, the European Union  (EU) does not have a First Amendment.  The United States does. Freedom of speech concerns limit Congressional ability to legislate privacy.

Second, Preemption.  Privacy advocates celebrated the passage of the CCPA.  The state of Washington has an even more stringent measure pending.  Privacy groups are concerned that federal legislation would be a poison pill if it preempts strong state statutes with watered down toothless federal gruel.  Preemption is not necessary of course.

A privacy regime can permit concurrent jurisdiction.  HIPAA is one example.  That said, it is difficult to envision a privacy statute acceptable to industry without explicit preemption requirements.  Even without such a requirement, state privacy laws can expect constitutional challenges based on the Dormant Commerce Clause (DCC).  In an age of a global, seamless, Internet, challengers will argue that fragmentation of privacy requirements is precisely what the DCC was intended to prevent.

Third, Enforcement.  The prevailing presumption is that the enforcement agency would be the Federal Trade Commission (FTC).  The FTC has handled privacy enforcement actions to data, with LabMD being a high profile instance.  Even so, it is possible to envision a regime that permits dual enforcement authority, at both the state and federal level.

Such an arrangement has worked well in related contexts such as HIPAA and COPPA. A tradeoff for complete federal preemption might entail a dual enforcement mechanism so that interested state Attorneys-General are not precluded from protecting state residents.

Fourth, Private right of action.  Another open question is whether the federal legislation will permit private rights of action.  At this stage, such permission looks unlikely.  None of the draft privacy bills with the greatest traction contain such provisions.  Industry would certainly oppose a private right of action.  Moreover, the courts’ post-Spokeo travails may strengthen the arguments against such actions.

Fifth, GDPR adequacy.  The United States leads the world in technology. This competitiveness would be undermined without a national mechanism to transfer data between the United States and the EU.  The current mechanism, Privacy Shield, undergoes annual scrutiny by the European Data Protection Board to determine if U.S. companies certified under Privacy Shield can continue to rely on that certification for EU to US transfers.

Appropriate American privacy legislation could lead to the United States obtaining an “adequacy” determination from the European Commission.  An adequacy determination would displace the need for Privacy Shield and put trans-Atlantic technology dealings on a firm long term footing.

In any case, the next few months promise to be interesting.