Tennessee Attorney General Herbert Slatery has served the citizens of Tennessee since 2014. Unlike most of his fellow attorneys general in other states, who most often are elected by voters, he (and his predecessors) was appointed by the Tennessee Supreme Court to serve an eight-year term. He is well known and respected by his fellow attorneys general across the U.S. and often works on complex, bipartisan multi-state investigations on matters of keen national importance, including opiate addiction and competition in the technology sector.
As the chief law enforcer for the state of Tennessee, he also has consumer protection, including consumer privacy and cybersecurity, as a top priority for Tennessee citizens and businesses.
Here, he shares his thoughts on privacy in the states, prospects for "federalization" of privacy standards and enforcement, and what states are doing to address concerns concerning data collection and (mis)use in the interim.
The Privacy Advisor: With the new Biden administration and the passing of the torch from one party to another, how is your office preparing for this shift, and what is your prediction on what will change in privacy enforcement from the federal level? What else can you share with privacy practitioners and businesses about what to expect from your office in the coming year?
Slatery: This office has always had strong working relationships with our federal partners over several years and several administrations. I anticipate these relationships will continue to grow as each of us needs to address crucial issues surrounding antitrust and related data privacy concerns. We have also enjoyed successful bipartisan collaboration among the various state attorneys general on these issues. There is no sign of any change in that bipartisanship regardless of the national political situation.
I hope the Biden administration and U.S. Department of Justice continue to prioritize the pending antitrust cases against Google and Facebook and that they focus on stronger enforcement of both antitrust and consumer protection laws in the digital arena. This office will always pursue important privacy-related cases, large and small. I have always thought we punch above our weight as attorney general offices go, and our goal is to keep on doing so.
The Privacy Advisor: After the passage of the California Consumer Privacy Act and EU General Data Protection Regulation, the federal government has also begun considering a potential federal privacy law, holding hearings and announcing proposed legislation on key issues such as preemption, enforcement and the possibility of a private right of action for enforcement. Do you believe that a federal law will be an effective way to protect consumer privacy? What type of privacy law, if any, would you like to see come out of Congress?
Slatery: The odds for federal privacy legislation are fairly good in the next few years. A single strong, comprehensive and bipartisan federal privacy law would provide more certainty and decrease compliance costs for businesses while ensuring uniform protection of consumers. But any federal privacy law should allow for state attorney general enforcement, consistent with comparable laws involving data privacy, such as the Health Insurance Portability and Accountability Act and the Children's Online Privacy Protection Act.
The Privacy Advisor: 2020 was a sea change for how we all do business and increasingly all remotely. COVID-19's broad impacts continue to be felt, with many data privacy implications for companies shifting work to the home office and in greater processing of sensitive personal health data, including contact-tracing information. Even children's personal data is implicated by the new reality of remote schooling, and through all of this, we are increasingly finding out about vulnerabilities as we go. What are your office's concerns and areas of focus in response to these developments?
Slatery: Like everyone else, this office had to start working remotely and fortunately did so very successfully. I'm grateful for how well our attorneys and staff have adjusted to the temporary realities of the COVID-19 era. Making it all possible was our information systems team, which has done an incredible job keeping our network functional and secure. We had to deploy and upgrade laptops, expand our virtual private network, and learn new applications, like Zoom, WebEx and Microsoft Teams.
The IS team is continuously monitoring threats and providing guidance to all employees on a range of matters. However, we realize that many private companies and entities in the public sector, including schools, struggle to meet this moment. Not all vulnerabilities can be easily spotted or anticipated. That is why we continue to monitor data breaches and COVID-19-related security issues that come to our attention and work together with other states to address issues as they arise.
The Privacy Advisor: There has also been an increasing number of state-level laws introduced around data privacy, but the biggest name has to be the CCPA, which will, in just under two years, be replaced by the California Privacy Rights Act. Both provide a robust set of consumer data privacy rights around accessing and deleting personal information, with detailed requirements and timelines for answer data subject access requests, among other provisions. Has your office considered taking on similar comprehensive privacy law for Tennesseans? If so, what aspects of the law do you most agree with and want to see in a Tennessee version? Conversely, what other aspects would you like to leave behind?
Slatery: Traditionally, the attorney general's office in Tennessee does not initiate legislation except in limited areas, although we often consult on bills that impact this office. I believe strongly that an individual's data belongs to that individual. Companies do not have the right to take that information, resell it, and otherwise monetize or manipulate it without informed consent. And I mean actual informed consent. Important strides have been taken by our fellow states in passing legislation affirming the primacy of individual rights in this area.
If new privacy legislation were to come before the Tennessee General Assembly, I would hope that it would contain provisions allowing consumers far more granular control over the data that companies collect from them. This includes the ability to know what data companies have and what they do with it and the right to have data deleted or opt out altogether from data collection.
I also believe consumers should have to give informed consent before their data can be used and that there should be easy, centralized ways for consumers to opt out of the sale of their data. As tech platforms become more and more consolidated, the sale of data is a less pressing concern. It is the raw collection of so much data by a handful of extremely powerful entities that demands the most attention. At the most basic level, a lot of consumers still do not realize how or why their data is being collected in the first place or how valuable it is to companies and data brokers, and we need to change the ground rules in these relationships.
