The Obama Administration has just announced that it would back a broad-based “data privacy bill of rights” similar to what is now in force throughout the European Union under the EU Data Protection Directive (Directive 95/46/EC).
We’ve been down this road before, and I don’t think a comprehensive federal bill similar to the EU model is likely to happen for a long time—nor should it. Here are a few points to remember as you read about a possible comprehensive federal law on data privacy or “personal data protection.”
Previous Federal Data Privacy Bills Went Nowhere
Two of the most recent efforts to enact a data privacy law at the federal level came to naught. One was Senator Patrick Leahy’s Personal Data Privacy and Security Act of 2009. Nothing has happened on that bill since November 2009. It was opposed by the U.S. Chamber of Commerce, the American Association of Advertising Agencies, the Internet Commerce Coalition, the National Automobile Dealers Association, The Financial Services Roundtable, and a number of other groups. I wouldn’t want these groups to define the law on data privacy, but they do have reason to be concerned about what an EU model-law would do to their constituents.
Also in 2009, Senator Dianne Feinstein introduced the Data Breach Notification Act. It was less far-reaching that Senator Leahy’s bill, but it still hasn’t gotten anywhere.
Justin Brookman, consumer privacy director at the Center for Democracy & Technology, says “There’s a window of opportunity here to pass strong consumer privacy legislation—with bipartisan support—in the 112th Congress.” I’d say that’s overstating things.
The EU Model Is Problematic
The Obama Administration refers to the EU model as a goal, but it isn’t the right goal for the US. It’s too invasive, too restrictive, and too expensive. The Directive on Personal Data Protection (Directive 95/46/EC) has been in place for more than 15 years. The implementing regulations in most countries were a long time coming, leaving everyone wondering how to behave in the meantime. Along the way, companies spent millions on analysis and compliance. Yet the regulations are often contradictory or completely impractical to implement. In countries like the UK, it can seem that every online form and every piece of paper had to be revised to account for the data privacy laws. In other countries (Russia comes to mind—they have enacted a law based on an EU model), the regulations still leave some terms undefined, making businesses nervous about where enforcement might actually occur.
Under EU laws, the reach of the data protection authorities is astonishing and would never be acceptable to US businesses or consumers. Nor would the penalties (try a $ 600,000 fine in Spain or 6 months in prison in Cyprus for violating a data privacy law).
Consumers deserve adequate privacy rights under federal law, but the EU model is not the best way to achieve them.
For Data Privacy, the Current Federal Approach Is Workable
The U.S. uses a piecemeal approach with federal laws for key areas of concern, such as health data (via HIPAA), children’s data (via COPPA), financial data (via GLB), and consumer-oriented data (via the FTC regulations and consumer finance regulations). Adding to this approach is more likely to avoid unwieldy regulations and the draconian results that the EU has experienced. Self-regulation in the US has not entirely worked—the FTC has gone after a number of websites and no one would say that Facebook has kept everyone happy with its privacy policies—but targeted legislation and strong enforcement of existing rules is the best way forward.
Daren Orzechowski, a privacy expert at law firm White & Case says (quoted in USA Today) that “From a European perspective, the U.S. is currently not much different than a third-world country when it comes to data privacy and protection law.” Wrong. The fact is that the EU passed their Data Privacy Directive with a specific goal (among others) of isolating US businesses. For international data transfers, the EU laws don’t “approve” of any country that doesn’t match the EU’s legal model. But apart from the bureaucrats, no one in Europe who has examined U.S. laws would place the U.S. in the same category as countries that have no data privacy laws on the books.
States Are Developing Conflicting Laws
The EU approach isn’t right for the U.S., but attention at the federal level is needed. Forty-five states have data privacy laws; many include data breach notification provisions. But those laws create a quagmire of compliance issues for businesses; and as more state laws are added to the mix, they are likely to conflict with one another (where complying with requirements in State A violates the express requirements of State B).
Seeing the Obama Administration chime in is a good thing. And action at the federal level would be welcome. But it must be done with a care. It must protect privacy in accordance with the expectations of Americans and it must avoid the ambiguity and expense that businesses in Europe have dealt with for more than a decade.