China’s Personal Information Protection Law, which came into effect Nov. 1, 2021, represents one of the most recent and — given the extent of the Chinese market — perhaps the most momentous privacy policy development last year. China’s enactment of a new law signals the importance of privacy legislation in sustaining a commercial environment where data is processed and shared safely and responsibly, where consumers are protected, and where data-driven businesses can flourish in global commerce.
As companies work to comply with the PIPL, debate continues in Washington about privacy legislation in the U.S. To the frustration of stakeholders, progress is slow. While there is growing consensus among privacy advocates, experts and businesses about the need for a federal privacy law, issues about provisions central to an effective law remain unresolved. Whether a law should include a private right of action has been a persistent point of disagreement for stakeholders and is often cited as an impediment to its passage.
Privacy advocates have long insisted that any new law must include a right for individuals to bring suit. They note that a private right of action — a provision in law that grants individuals the ability to bring a lawsuit against a party that has wronged them — is an essential element of the U.S. judicial system. A private right of action would empower individuals harmed by a violation of privacy to hold the perpetrator accountable in court and obtain redress.
Advocates also view a private right of action as a way of addressing perceived limitations in the ability of the FTC to enforce privacy laws in the U.S. In its absence, they argue, government does not always protect the rights of individuals. While the FTC has brought enforcement actions that hold some companies to account and send a message to the market about legal requirements, it does not address individual violations of law or protect the rights of individual consumers. Advocates have argued that the FTC’s enforcement efforts are less than optimal because of its limited authority to regulate privacy and a lack of capacity to effectively enforce privacy laws.
A private right of action would allow an individual whose privacy rights are violated to pursue enforcement on their own.
After years of debate, the business community increasingly recognizes that not only is comprehensive privacy law needed in the U.S., but that if it is to pass, the law will need to include a private right of action. Companies — many of whom once opposed a private right of action in any form — remain concerned, however, that a provision granting consumers the right to sue will lead to a proliferation of frivolous lawsuits that will burden businesses managing and protecting data responsibly and lawfully. They argue that such suits impede innovation and drain company resources that could be better spent on new hires and pursuing new opportunities.
But a private right of action does not have to be an either-or choice, and does not need to stand in the way of privacy legislation in the U.S. A right to sue can be designed with guardrails that limit the potential for frivolous or harassing lawsuits but preserve the ability of individuals to bring cases in appropriate circumstances.
A workable private right of action in privacy law could:
- Provide for review of potential cases before they are brought to court. The ability to bring a private right of action could be made dependent on review and approval by the appropriate authority or agency. These bodies could determine which cases should go forward and screen out harassing or frivolous suits.
- Allow for an opportunity to cure in appropriate cases. In some instances, privacy violations can effectively be addressed by allowing the offending party the opportunity to correct the error. This could be particularly useful in cases of first violations and when there is no pattern of recklessness or negligence.
- Include limits on recoverable damages. A private right of action could also include limits on recoverable damages. Damages could be tailored to the harm to the individual. They could also be imposed based on whether the violation was willful or reckless, or in cases of repeated failures to meet obligations of the law.
- Limit the private rights of action to cases based on certain kinds of violations. A private right of action could be designed to be available only for prescribed violations. For example, a private right of action could be tailored to apply when a violation involves particularly sensitive data or a processing activity that raises a high degree of risk for individuals. The law could be designed so individuals are able to bring suit when certain sensitive data — such as health, genetics or geolocation data — has been compromised by a violation of law. China’s new law takes such a hybrid approach to the issue, allowing individuals to bring lawsuits only in certain circumstances.
- Require a raised level of scienter. A private right of action could be appropriate in limited cases, such as instances where companies have acted willfully or recklessly regarding aspects of the law designed to protect individuals from demonstrable harm. For example, cases could be brought when companies recklessly fail to secure sensitive data, or when they engage in data processing that exposes individuals to potential discrimination or other harm. A private right of action might also be appropriate when companies exhibit a pattern of violations of aspects of the law that deny individuals the opportunity to exercise their rights to — for example — access or correct their data.
Enacting meaningful privacy legislation promises significant benefits for both U.S. companies and consumers, and China’s new PIPL emphasizes the importance of privacy law for U.S. companies to compete in a global market. If U.S. federal privacy legislation is to pass, policymakers must resolve the question of how to design a private right of action that protects and empowers consumers and does not impede growth and innovation.
Photo by Dayne Topkin on Unsplash