Thank you for sharing!

Your article was successfully shared with the contacts you provided.
U.S. businesses face a patchwork of privacy mandates: a hodgepodge of sector-specific federal laws, state laws with national consequences, industry codes and corporate promises. Companies frequently have difficulty addressing all the requirements. This melange of regulation is no longer working well; the United States needs a better solution. A decade ago, compliance with privacy requirements was a relatively simple matter for U.S. companies. Privacy laws were, by and large, extremely limited in scope and affected only narrow categories of businesses. In addition, international data transfers were not critical to many businesses, so there was no need to consider requirements that might be imposed by European or Asian nations. The Internet was just emerging as a consumer technology, and spam was still a type of canned meat. All that has changed in the last 10 years. Communication and computer technologies have undergone a revolution, and the Internet has revamped the way businesses and consumers communicate. Many more companies have become global in nature, requiring that data flows also become international and thus subject to the privacy rules of multiple countries. While trying to navigate this international realm of privacy laws, U.S. companies also must worry about state requirements. During the past two years, for example, California has passed a number of privacy laws that essentially have changed the way business is conducted on a national level. One law in particular (AB 1950, which went into effect Jan. 1), requires businesses that maintain certain personal information about California residents to implement security procedures that will protect the information from unauthorized access, use and destruction. The law also requires businesses that disclose such information to nonaffiliated third parties to contractually require those entities to develop their own security procedures. This new statute is the nation’s first to impose a security standard on personal information held by businesses that are not otherwise obligated by more narrowly targeted laws to safeguard the information. (Financial institutions and certain health care entities, for example, are excluded from coverage because federal law already regulates their information practices.) Most national companies do business in California and, thus, are subject to California’s jurisdiction. Consequently, this new law effectively imposes one state’s privacy standard on most major U.S. businesses that maintain personal information. And since the corporate systems that support commerce in California also support commerce in the 49 other states, as a practical matter, national (and international) businesses may find themselves applying California’s rules to all consumers. This gives one state astonishing power over interstate commerce. In the absence of a comprehensive national law from Congress, California effectively can legislate for the nation. The privacy patchwork becomes worse as other states also pass privacy legislation. While business systems can be changed to comply with one state’s requirements, it is not practical to change systems to comply with the varying and possibly contradictory requirements of 50 separate states. Corporate compliance officers will be left scratching their collective heads as they attempt to determine which privacy rule covers which data application. The problem is more than state statutes, however. Privacy regulation in the United States varies not only by state but also by sector. Federal privacy laws, for instance, regulate the use and security of personal information in the finance (Gramm-Leach-Bliley Act) and health care (Health Insurance Portability and Accountability Act) industries. Further complicating matters, some industry standards, such as the Direct Marketing Association’s Privacy Promise, apply to multiple companies regardless of their industry sector. The various laws and codes are, at best, overlapping and, at worst, inconsistent, leaving compliance officers to wonder which rule to follow when. ] If this is not enough of a quagmire, consider two additional factors bedeviling American business. First, the use of data collected through newer technologies — such as spyware or radio frequency identification technology — is not considered by some analysts to be adequately addressed by existing U.S. laws. Thus, new legislation often is proposed when a new data-collection technology is developed. ] When technology evolved slowly, the consequent legal requirements could be developed at a leisurely pace, allowing such rules to be carefully drafted and well-considered. Today, technology changes in the blink of an eye. The result has been something akin to an arms race in the way federal and state legislatures attempt to regulate real and perceived privacy harms. Second, the globalization of business processes requires the United States to have an information-governance system palatable to the rest of the world. But much of the world now views information management in this country as chaotic — a view that may impede the desire of other countries to allow data to flow freely to the United States. EUROPE’S MODEL In contrast to the hodgepodge of privacy mandates in the United States, the European Union has an overarching framework for privacy. While the U.S. system is confusing even for Americans, the EU model appears relatively simple in concept. In Europe, privacy is considered a fundamental human right. Based on the EU Data Protection Directive (adopted in 1995), which provides a common framework for privacy laws in each EU member state, individuals have the right to control the use and disclosure of information that pertains to them. Data protection laws in each EU member state are harmonized pursuant to the principles set forth in the directive. European data protection laws apply to the collection, use, and disclosure of data. The focus is on the information itself. It doesn’t matter what technology is used to collect the data nor by what medium the data are transferred. It also doesn’t matter whether the business managing the data is a bank, a hospital or a toy store. Because of this comprehensive framework, European authorities don’t feel the need to enact new legislation each time a new technology is invented. But there is a considerable cost associated with the European system. All new uses of consumer information require consent from the many individuals whose data have been collected or permission from the relevant data protection authority. Businesses’ ability to use data in new ways that might create additional value is necessarily slowed down. ASIAN ANSWER? In the United States, the melange of privacy requirements worked effectively for many years to prevent identified harms while not stifling our information-based economy. If a new process threatened a new privacy harm — such as the risks of the Internet for children — Congress passed a law to manage the danger. But the system has now become too disjointed. Given the existing patchwork of privacy requirements and the difficulty of complying with overlapping or conflicting federal, state and industry-driven mandates, the stage is set for major federal legislation. Any such legislation would need to pre-empt related state laws. A model for this type of legislation may be found in the privacy framework currently being devised by the Asia-Pacific Economic Cooperation, an organization of 21 member nations, including the United States. For the past two years, APEC has worked to develop a privacy framework for the Asia-Pacific region, which would then provide a basis for individual countries to develop their own privacy laws. The process has progressed in a carefully paced manner, informed by prior privacy regimes. The agreed-upon principles include the need for guidelines regarding the prevention of harm from privacy encroachments, notice to individuals about what data are being collected and why, and a limited right of individuals to access data that a business collects about them. The APEC principles build on privacy principles first developed by the Organisation for Economic Co-operation and Development. Those principles have formed the basis for international privacy discussions for the past 20 years. As one of the architects of the new APEC framework, the United States has the expertise to begin defining a new domestic privacy standard based on the same principles. We can start by determining how our current patchwork of privacy regulations compares with the APEC principles and addressing the gaps in a meaningful manner. The process of crafting a new national privacy framework will be difficult. But the cost of not doing so is continued uncertainty, confusion, and international mistrust. Ultimately, a new privacy regime in this country will prove beneficial to both American consumers and American businesses. Lisa J. Sotto is a partner in the New York office of Hunton & Williams, where her practice focuses on privacy and information management issues. Martin E. Abrams is the executive director of the firm’s Center for Information Policy Leadership. If you are interested in submitting an article to Law.com, please click here for our submission guidelines.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.