The need for a comprehensive U.S. privacy law continues to grow, but the politics, procedures and policies of privacy are too complex to move legislation through the Congress. Here’s a summary of why it’s so hard, followed by a new idea.
The business community is split. Some multinationals might support a comprehensive privacy law that meets EU standards. Some domestic companies want a weak preemptive federal law that stops states like California from imposing meaningful privacy rules (the so-called Privacy Prevention Act). Other domestic companies that still hope that privacy will go away, and they want to do nothing.
The consumer, privacy, and civil rights advocacy communities share broadly similar goals for a privacy law, but it is far from clear whether their cohesiveness would continue when it comes time for compromise. On hard issues such as private rights of action and federal preemption, there could well be divergent positions among advocates. In any event, advocates don’t have the oomph to push a federal bill through the process on their own.
Congress continues to show interest in privacy, but nothing useful emerges. Congress faces jurisdictional problems because many different committees have some jurisdiction over privacy legislation. Further, writing a new law when so many divergent sectoral privacy laws exist is a problem for which there is no existing solution.
An additional challenge is meeting EU standards. A weak privacy law that the EU will not recognize as “adequate” will not solve the problem for multinationals nor will it satisfy advocates. Yet an adequate law would attract strong opposition from parts of the business community. In the end, it may be hard to pass any law with any confidence that the EU will recognize it.
Just to complete this sketch of privacy, self-regulatory efforts in the U.S. are too weak, are too controlled by business, provide little more than the appearance of privacy, and don’t meet international standards.
In other words, the privacy problem here in the U.S. is really hard to solve.
That is not news. Nothing can happen with a major compromise, and that’s what I offer here. I don’t have a fully comprehensive solution, but I suggest a way to address most of the major concerns of the multinational business community and the advocacy community. Those two interest groups might be enough to move a bill through the process, especially if other stakeholders have no basis for objection.
I propose an opt-in, federal privacy law for the commercial sector. The law will only apply to companies that affirmatively choose to comply with its terms. The model here comes from arbitration. Laws define, support, and provide for the enforcement of arbitration agreements, but the parties to a contract usually decide whether they want to use arbitration. If they do not, then arbitration laws do not apply. The Privacy Shield, now available to solve some problems with U.S. companies that need to meet EU standards, is an opt-in program. Among its shortcomings is a failure to provide any protections for Americans.
With an opt-in privacy law, the data controller chooses to comply. There is no need for agreement from data subjects. Data subjects become the beneficiary of the decision along with the data controller.
What goes in the opt-in privacy law? The law has to address all elements of Fair Information Practices in a manner compatible with and similar to the GDPR. If the law isn’t good enough to meet the EU adequacy standard, then companies that need to move personal data from the EU to the U.S. will not benefit. Meeting adequacy does not mean that the opt-in law must be identical to the GDPR, however.
The basic idea here is simple, but it won’t be simple to draft a bill. For example, it is far from clear that the underfunded and underpowered FTC will meet EU standards for an independent privacy authority. Yet expanding the FTC’s jurisdiction might attract broader opposition both inside and outside Congress. A new privacy agency has some attractiveness, but it will draw objections. Another hard issue is addressing the right-to-be-forgotten element of the GDPR given our strong First Amendment. There will be plenty of other challenges as well, but any approach to a privacy law will have similar obstacles.
One advantage of a strong law applicable only to the private sector is that all government issues disappear. Applying the same law to the government (federal, state, and local) would be a major political and substantive challenge. Another advantage is that jurisdictional conflicts within the Congress would diminish (but not disappear). A strong privacy law would likely be stronger than some existing federal privacy laws so conflicts would be minimal. That is not to say, however, that all conflicts with existing laws would go away. The federal health privacy rules present a particular challenge, as they apply to commercial and governmental entities.
For advocates, the proposal only accomplishes some of their objectives. There would be a strong privacy law meeting international standards. The main drawback is that many companies would not opt-in and would, for the most part, be left to set their own policies. Market pressure might be effective, at least to some degree. Companies such as data brokers that have few dealings with consumers would probably not opt-in. However, data brokers that do business with companies that opt-in to a privacy law might feel pressure from their customers to meet the new standards. A state could pass a law pushing its own agencies to do business with opt-in companies. Consumer pressure might induce many online companies and many merchants to opt-in. Regardless, however, an opt-in bill is still half a loaf, at best. That may be the best we can do right now.
For multinational businesses, an opt-in law deemed adequate by the EU would make international transfers simple. The businesses would no longer need to have contracts or adopt binding corporate rules, and there would be no need to meet the procedural requirements of the Privacy Shield. These benefits would persuade large businesses to opt-in. Further, data processors who do business with opt-in companies would face pressure to opt-in themselves. Doing so would help processors preserve their existing business relationships and attract new business from other opt-in companies. If the opt-in law were sufficient robust, the stakes in a federal preemption fight would be reduced for those who opt in, and compromise on preemption might be easier to achieve.
In the end, the main device of the opt-in proposal is that it only applies to those who affirmatively choose to comply with the law. For those businesses that still want to do little about privacy, there would be no direct effect. They would be hard pressed to oppose a law that did not affect them, although they would probably oppose it anyway. Small businesses in particular could ignore the law as they see fit, and the argument that a privacy law is too costly for them disappears.
Is the opt-in proposal really practical? That is truly the question. It offers something to everyone, compels no one to do anything, provides some better privacy protections for consumers, acknowledges the robust international privacy movement, and generally puts the U.S. in a better position to address privacy standards already adopted by most of the rest of the world. The advantages of an opt-in privacy law would avoid some (but not all) of the difficulties that we face today.
An opt-in privacy law is not anyone’s perfect solution. It’s a compromise, not a panacea. But I submit that it is worthy of further debate and discussion.
If you want to comment on this post, you need to login.