The end of a year, and the start of another, often gives cause for taking a moment to be reflective and to ask, “how did we get here.” When you are a data privacy attorney, it's only natural that the question becomes, “how did we get here in the world of data privacy.”
I often think about a song – which, if you grew up in the 1970s or the 1980s, you probably remember – from School House Rock called "I’m Just a Bill." It would play each Saturday morning and explained, at breakneck tempo, the legislative process:
I'm just a bill.
Yes, I'm only a bill.
And I'm sitting here on Capitol Hill.
Well, it's a long, long journey
To the capital city.
It's a long, long wait
While I'm sitting in committee,
But I know I'll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.
Of course, in the world of data privacy, the normal legislative process – draft legislation; a committee to discuss, debate, and hold hearings to perfect language and consider unintended consequences; equal consideration by the companion legislative branch; floor debate; and finally the enactment of a thoroughly considered statute – feels more like the exception than the rule.
The data privacy world has seen two landmark changes in the past decade: the EU General Data Protection Regulation and the California Consumer Privacy Act (and its companion, the California Consumer Privacy Rights Act). Neither the European approach to privacy regulation nor the California approach fit the traditional model. Indeed, they can, and should, be taught at every law school as a case study to understand how divergent the legislative process can be.
The process by which the GDPR was created sits on one extreme.
Modern European data privacy laws can be traced back to the 1995 European Data Protection Directive (Directive 95/46/EC). In 2012, the European Commission proposed a comprehensive reform of the directive. That reform was extensively, and independently, evaluated by the European Data Protection Supervisor, the Article 29 Working Party, and the European Parliament. Each entity convened groups of experts to evaluate the proposed text, offer opinions, insights, and recommendations.
The collective thoughts of hundreds of privacy experts from those bodies ultimately influenced the European Data Protection Supervisor to provide, in 2015, a final recommendation for the text of the GDPR, and the final agreement of the European Parliament, the Council, and the European Commission was achieved a year later on April 27, 2016.
The final version of the GDPR provided a two-year grace period during which the Article 29 Working Party (and later the European Data Protection Board) issued new guidance, or ratified prior guidance – which collectively culminated in thousands of pages of interpretative guidance for businesses prior to the GDPR going into effect in May of 2018.
Ultimately, from start to finish, the GDPR took six years to come into being – four years to draft (2012 – 2016) and two years to implement (2016 – 2018). It also benefited from the input of hundreds of privacy experts, who pressure tested, discussed, and vetted each of its 99 Articles and 173 preambles. People can (and do) have strong opinions about the GDPR, but nobody can say that it is not a polished regulation.
The processes by which the CCPA and the CPRA were created was completely different. For DC Comics fans, you could consider them the Bizarro-worlds of the GDPR.
In 2017, a California real-estate-developer-turned-privacy-advocate filed a ballot initiative for a state privacy law. The ballot initiative which was refiled and amended several times was ostensibly based upon portions of the GDPR, but, there is no indication that it was drafted by an attorney, let alone one familiar with data privacy.
Fearing passage of what was considered by many a poorly drafted and conceptualized initiative, a deal was reached June 21, 2018, between the proponents of the ballot initiative and certain members of the California legislature, under which the ballot initiative would be withdrawn if the California legislature adopted, and the governor of California signed, a statutory replacement by June 28, 2018 – i.e., within seven days.
Assembly Bill 375 – an inactive statute that had been gathering dust from the previous year and was never fully drafted, vetted, or reviewed, was pulled from the inactive file. On June 21, 2018, it was referred to the Judiciary Committee for hasty approval. On June 25, 2018, it was referred to the Appropriations Committee, and by June 28, 2018, it was enacted. It was signed by the governor the same day and took seven days to transform a previously abandoned bill into legislation.
During that time, it is not clear if any legal privacy experts (as opposed to privacy advocates) reviewed, revised or opined on the text of the statute. While subsequent amendments in 2018 and 2019 tweaked the language, the amendments mainly corrected grammatical errors and typos, doing little to modify the substance of the original text.
The only real overhaul came in 2020 when the same California real-estate-developer-turned-privacy-advocate filed a second ballot initiative. No legislative compromise intervened that time around and, ultimately, the ballot initiative led to the enactment by referendum of the CPRA, and its large-scale amendment of the CCPA. People can (and do) have strong opinions about the CCPA, but nobody can say that it is a polished statute.
While the CCPA and the CPRA had an entirely different process for coming into being as the GDPR, at the end of the day they are related; if not sisters, perhaps distant cousins. So much of the verbiage, intent, structure, and ultimately ideas, found within the CCPA was borrowed from — sometimes excerpted from — the GDPR.
The net result is that to truly understand and interpret the CCPA and the CPRA requires an understanding of the complex regulatory scheme that they were trying to emulate – the GDPR – as well as an acceptance of the fact that the CCPA is not that regulatory scheme, did not go through the same vetting process and may not always lead to the same interpretations and legal conclusions.
As we start a new year, we are already seeing new proposals for state and federal legislation such as the New York Data Accountability and Transparency Act and the Washington Privacy Act of 2021, and most recently, Virginia Senate Bill 1392 and House Bill 2307. Some of those proposals are arguably reminiscent of the early drafts of the CCPA with typos, undefined terms and references to phantom sections that don’t exist.
Before jumping behind any proposal, we should take a step back and remember the remarkably different lineage of the GDPR and the CCPA, and consider whether the best process for creating good privacy legislation lies somewhere between those two regimes.
While it should not take six years to create privacy legislation, it should not be rushed and pushed through without careful consideration and planning, which often does involve a multi-year process.
Photo by Ryan Chu on Unsplash
If you want to comment on this post, you need to login.