There’s no question that there are more privacy cops on the beat in the U.S. than ever before, with regulators such as the Federal Trade Commission (FTC), Federal Communications Commission (FCC) and Department of Health and Human Services—just to name a few—all responsible for portions of privacy regulation and enforcement.
Experts in the field agree that this puzzle of regulators and regulations is becoming increasingly more complex, with some calling for a move to a one-rule, one-regulator approach. Meanwhile, privacy advocates and regulatory officials have raised concerns in recent months about the nation’s privacy laws.
In a recent
published in
The New York Times
, Marc Rotenberg of the Electronic Privacy Information Center is quoted as saying, “The U.S. system with regard to privacy is not working,” while FTC Bureau of Consumer Protection Deputy Director Jessica Rich points to that agency’s plans to propose new privacy guidelines this fall.
The Metropolitan Corporate Counsel
also recently published a comprehensive
on the implications of shared jurisdiction for online privacy and data security issues, focusing largely on the FTC and FCC.
The report highlights the National Broadband Plan’s call for “Congress, the FTC and the FCC to clarify and strengthen privacy protections to foster continued innovation and competition in online applications and to spur broadband adoption and utilization” and for FCC consumer online security efforts to “support broader national online security policy” and “be coordinated with the FTC, other federal agencies and the White House Cyber Office.”
However, the report states, many other U.S. agencies are also focused on privacy issues, including the Department of Commerce (DOC).
“Taken together, momentum and developments at the FCC, DOC and the FTC suggest that broadband service providers will be faced with a series of new privacy regulations as regulators seek to meet perceived challenges posed by changing technologies and data collection and utilization practices,” the report states.
The same appears to be the case on the healthcare side of the privacy equation, where the Department of Health and Human Services (HHS) and its
(OCR), which enforces the HIPAA Privacy and Security Rules, as well as state attorneys general are involved in enforcement of healthcare data protection.
“Give me one rule,” says Kirk Nahra, CIPP, of Wiley Rein LLP. “I think that’s better for everyone because everyone understands.”
Without such a framework, he notes, deciding whether the current system of many laws and regulators is a case of “too many cooks in the kitchen” depends on your point of view.
From a business standpoint, Nahra suggests, there are very few positives in the current regulatory regime. While there could be instances where having multiple overseers catches errors, the result of meeting the needs of many regulators with their own standards is often confusion.
From an advocacy perspective, the current segmented approach with “more cops on the beat” has some merit, explains Bob Belair of Oldaker, Belair & Wittie, LLP. “You get more eyes on the activity, and from a consumer protection/privacy protection perspective, a lot of people would say that’s good.”
Nahra also points to efforts by some of the regulatory agencies to carve up enforcement as a positive approach. He used as an example where HHS and the FTC would each regulate specific portions of healthcare data that are mutually exclusive to determine which agency has responsibility. In one such incident, the FCC and FBI
enforcement when a new online technological tool was breached.
He also cites instances of cooperation on cases—where settlements were reached involving businesses and all regulators who are responsible for enforcement pieces related to the issues at hand—as a positive regulatory approach within the current framework.
Among the negative aspects to having so many enforcement agencies and pieces of legislation, experts agree, is that there end up being holes in enforcement and confusion over boundaries. Belair illustrates this with the example of the Fair Credit Reporting Act (FCRA), where entities not authorized under FCRA escape regulation although they are using information in the same way as FCRA-regulated organizations.
“It’s entirely understandable that Congress wants to close that loophole,” Belair adds.
On the flip side are instances where individuals, organizations or businesses end up taking no action at all due to concerns about potential violations.
“When rules get in the way of legitimate uses like treating a patient, there is a problem,” Nahra explains, using the example of the 2007 tragedy at Virginia Tech, where those who had information about issues related to the gunman who would kill more than 30 people and himself had not taken action or shared information out of fear of “breaking the rules” governing that information.
In such cases, he says, entities are impeded from taking appropriate action because of confusion over the rules governing data protection and use.
When it comes to healthcare privacy enforcement, Nahra notes that there are currently more issues with the rules than the enforcement agencies themselves, given that HHS and the OCR are specialized regulators that understand how the industry works. While HHS understands the work of doctors, hospitals and healthcare providers, HHS is not the expert when dealing with providers such as accounting firms that handle information related to healthcare but are not actual providers. And, there is the addition of other regulators, as illustrated by Connecticut’s attorney general filing the first lawsuit against a healthcare company for HIPAA violations as authorized under the HITECH Act.
The best option would be a single privacy rule, Nahra says, with his second choice being a single privacy regulator. He describes the current collection of multiple regulators dealing with many privacy rules as a worst-case scenario.
Belair notes that using consent as the green light for the collection, use and dissemination of PII makes more sense in situations where the data subject is able to make a reasoned decision. Using the analogy of a jobseeker who must give “consent” for personal information to be gathered in order to be considered for the job, Belair explains that choice is not really an option in the true sense of the word.
“Relationships do matter,” he says. The comfort level an individual has providing information to his or her physician is likely to be quite different from that that same person would feel for a marketer.
Regulators seem to agree.
CNET
on an event earlier this summer where FTC Consumer Protection Bureau Senior Attorney Kathryn Ratte noted that existing privacy law, which relies on disclosure of data collection and use practices and on informed consumer choice, "in some very basic sense isn't working.”
When it comes to privacy law and, thus, enforcement, the foundation should be those relationships, Belair suggests, to be more grounded in real-world privacy implications.
“You open and close that gate based on the kind of relationship you have and the amount of trust you have,” he says.
A primary problem with the multiple-regulator and overlapping-regulation approach is that it puts an emphasis on where the information comes from as opposed to the nature and use of the information.
The American public does not care where the information came from, Belair suggests, but is very concerned about “how sensitive it is and what you’re going to do with it.”
Using that as the basis for regulation is a common-sense approach that works, he says.
Whether the current approach is good or bad, however, many experts do not expect it to change any time soon.
“I think it’s inevitable that we’re going to have a sectoral approach,” Belair explains, noting that with the structure of the U.S. Congress, a huge number of very different committees would be required to sign-off on a move to a one-privacy-executive format. And with committees as diverse as banking, judiciary and homeland security, such a transition would be an extraordinary accomplishment. “It’s not, in the foreseeable future, going to change.”
