Samantha Gilbert asks if growing calls for a consistent stance on how companies can compliantly use data for COVID-19 contract-tracing, targeted advertising and other issues have the collective momentum to push the US to implement a federal data privacy law.
The question of whether the US needs a federal data protection law is not new, but the COVID-19 pandemic, among other factors, has shifted the debate. Discussion over whether a unified response on data protection would clarify how citizens’ data can be used for COVID-19 contract tracing and to strengthen control over how tech giants use citizens’ data has increased support for a federal law among both citizens and businesses. “The current moment feels different as several trends are coalescing to change the privacy zeitgeist and give multiple constituencies reasons to support federal action,” says Alan Raul, leader of Sidley Austin’s privacy and cybersecurity group in Washington, DC.
Historically, the US has resisted implementing a federal law for data privacy, in favour of state-based and sector-specific legislation. Current sector-specific legislation in the US includes the Health Insurance Portability and Accountability Act (HIPAA) (for health data), the Gramm-Leach-Bliley Act (regulating the protection of financial data), and the Family Educational Rights and Privacy Act of 1974 (protecting student data). This approach is seen to encourage innovation: states can experiment with different approaches and learn from one another, and businesses can be more exploratory when trying new products and ideas, instead of following a prescriptive regime.
However, recently states have begun introducing their own privacy laws to determine how all companies, not just those in regulated sectors, can protect data privacy. In California, for example, the enforcement deadline for the California Consumer Privacy Act (CCPA) is this week, and yet further legislation has already been proposed: the California Consumer Data Privacy Act. Other states finalising privacy laws over the next year include New York, New Hampshire and Maryland. Many of these laws have derived some concepts from the EU’s General Data Protection Regulation (GDPR), which has triggered “bipartisan concern that the US is at risk of surrendering its role in establishing the rules of the information economy, as more and more nations and businesses build programmes based on the GDPR,” according to Christopher Fonzone, a partner in Sidley Austin’s privacy and cybersecurity group in Washington, DC.
Nonetheless, a federal regime would unify data protection enforcement, and make application of privacy law more consistent, equating to a clearer landscape for compliance teams and relieving the burden of trying to ensure compliance with not just multiple state laws, but across different sectors. Marc Gilman, general counsel and VP of compliance at regulatory technology firm Theta Lake, says “if there were standardised federal regulations, that would likely make compliance easier [because] it would provide some kind of stability and clarity and make managing privacy across 50 states easier.”
Business support for a federal law is, therefore, likely to continue. But the legislation being proposed depends on whether the varying approaches of 50 states can be aligned in one framework, in a way that is seen to protect technological innovation.
COVID-19 pushing a “unified notion of privacy”
The outbreak of COVID-19 has required an enormous response from governments around the world, which are introducing a range of measures to contain the spread of the disease, including tracing the contacts of individuals who have tested positive. Contact tracing comes hand in hand with complex data protection issues, prompting renewed discussion in the US about the need for a federal data protection regime, which could provide clarification on those issues to facilitate a unified response, as well as strengthen control over how tech giants use citizens’ data more generally. The terms and lawfulness of data-sharing for COVID-19 contact-tracing apps have been hotly debated throughout the world and, within the US, the decisions have been left largely to state authorities. Federal agencies have been criticised for not releasing nationwide contact-tracing apps.
This confluence of trends and interests are “creating real momentum for federal action” – the strongest push that Fonzone and Raul can remember.
“The privacy discussion concerning COVID-19 is, in many ways, a microcosm of the broader discussion about federal privacy legislation that has been going on for the past couple of years,” says Raul. US authorities need to strike a balance between using technology to help open the economy and keeping people safe, while protecting privacy as sensitive information enters the hands of corporations and public bodies. Federal legislation could help by “providing clear rules and regulatory clarity for companies who are looking to invest in and develop these technologies, but it could also lock in rules that are insufficiently respectful of people’s interests or privacy protections that make innovation difficult.”
Companies looking to collect data during the pandemic must navigate what Simpson calls a “patchwork of privacy and data security laws.” Using healthcare providers as an example, at the federal level HIPAA regulates how “covered entities” (and their service providers) may process health information. However, healthcare providers, as employers, also have to ensure they comply with state laws, which could be more stringent. For example, the California Confidentiality of Medical Information Act, which imposes certain obligations on employers with respect to the confidentiality, protection, use and disclosure of employee health information, and applies in the context of COVID-19 screening measures.
Congressional Democrats and Republicans have both introduced federal privacy bills to define what data companies can collect, and how, during the pandemic. The Democrats’ bill, the Public Health Emergency Act, would regulate what data companies can collect during the pandemic (including health data and location data collected by contact-tracing apps), and require them to delete the data once the crisis ends. Companies would be limited to collecting data for public health purposes, and prohibited from using health data for advertising, or to block access to employment, finance, housing or insurance. The Republicans’ competing bill, the COVID-19 Consumer Data Protection Act, similarly would protect health and location data. It also would allow people to opt-out of the collection of their personal information and require companies to delete or de-identify data after the pandemic ends. Notably, it would carve out an exemption for employee screening data during COVID-19. “It will be encouraging if Congress manages to pass a covid-related privacy bill, as it may provide insight into how negotiations on an omnibus federal privacy bill would play out,” says Simpson.
Consistency for compliance teams
Many businesses are in favour of a harmonised approach. A federal law “would create a focal point, making it easier to organise compliance efforts and less likely that companies would have to follow fifty, potentially significantly different, state regimes,” according to Fonzone. Also, the stability that comes with a federal regime would provide compliance functions with familiar mechanisms of interpretation and rulemaking, which can aid advance planning. Indeed, as the leader of a compliance team, Gilman would support the idea of a federal law because it would establish a consistent notion of the standard privacy protections, which would be easier for compliance professionals to manage. Already, Gilman and his team try to avoid going down the route of differential approaches per state, by adopting a programme that adheres to the highest international standards.
“We have customers across the globe, so we effectively manage to whatever the highest international standard is. We have protocols in place for GDPR that help with managing a lot of the other privacy regimes in the US and by doing things like the Service Organization Control type 2 (SOC2) compliance report, we can also manage other kinds of security regimes because SOC2 is one of the higher standards for data protection.”
For example, if the GDPR requirement over storage limitation is stricter than any stipulations in US legislation, then a company shoul develop its compliance programme to adhere to the stricter GDPR requirements. However, companies subject to further regulations, such as banks, would still have to be mindful of state-specific legislation.
Managing “borderless” technologies
Since the rise of global technologies like the Internet, US citizens are increasingly seeing privacy as a universal value, Raul says, such that all Americans should share in its protection. Also, business leaders are recognising that they “will soon have to apply multiple state-based legal regimes to the borderless Internet,” which Fonzone says is generally considered unworkable. However, this must be balanced against concerns that a strict, universal regime could stifle technological advances. Historically, the US approach to regulation centres more on trial and error to encourage innovation, rather than following a prescriptive overarching law.
“The US has tended to favour ‘permissionless’ innovation and shy away from regulation based on the stringent application of a ‘precautionary’ principle which prohibits or restricts a broader range of commercial activity. In short, for good or ill, the United States has historically embraced regulatory and enforcement efforts concerning privacy that targets abuses rather than the prescriptive regulation more typical in Europe,” explains Raul.
However, there is a growing sense that a new approach is needed – to address the concern about the privacy impacts of new technologies and to defend the US’ status as a leader in privacy and innovation. High-profile cases on the use of consumer data, such as those involving Cambridge Analytica, Yahoo! and Equifax, have sparked what Gilman calls “an urgency to thinking about data privacy at a federal level” and whether a unified approach would help control how tech giants use and share personal data in the online domain.
Cases such as these are presently handled by the Federal Trade Commission (FTC), which uses its authority under section 5 of the FTC Act to bring wide-ranging privacy and data security enforcement actions against entities whose information practices have been deemed “deceptive” or “unfair.” The FTC has proved itself a formidable regulator, having recently imposed the largest ever privacy or data security penalty in the world on Facebook ($5 billion) for sharing user data with third parties without their consent. However, in a recent Memorandum Opinion on the case, the District of Columbia judge says the allegations “call into question the adequacy of laws governing how technology companies that collect and monetise Americans’ personal information must treat that information.” There are concerns that the lack of a federal framework hampers regulators’ attempts to find effective limits on digital data collection and usage. Aaron Simpson, partner in the global privacy team at Hunton Andrews Kurth in New York, says “a federal omnibus privacy bill that provides for strong regulatory enforcement certainly would help in enforcement efforts” because, paired with the FTC’s active experience, there would be a clear framework outlining the limits of compliant behaviour for businesses on technology which is not restricted by state borders.
While these arguments appear to support federal legislation, there are still large barriers. “Though privacy interests are strong on both sides of the aisle and in many companies across most business sectors, there is still significant disagreement over whether to allow private litigation to enforce the often-intangible risks associated with privacy regulations and whether a federal regime should pre-empt potentially stricter state laws,” Raul says.
Not only that, but each state also has its own perspective on the consumer right to privacy, which “makes it all the more difficult to agree on what a federal law might look like,” says Gilman. “We don’t have a unified notion of privacy as a fundamental human right in the way that the EU does. […] Even though some regulations that have been passed at the state level (like CCPA) attempt to mirror portions of GDPR in terms of rights to access, etc, they’re still based on the notion of a consumer or a customer.”
However, politics pose a problem. “The business community is so fervently behind a federal consumer privacy bill precisely because it would significantly streamline their compliance burden by pre-empting differing state laws. Conversely, privacy advocates are opposed to federal pre-emption, and state attorneys general typically are loathed to give up their ability to enforce legislation that would protect their own residents. The debate over pre-emption is a key variable when it comes to why a federal data breach notification bill has never passed.”
This clash of views has so far led to gridlock over a federal law. While no resolution has yet been found, Simpson expects the dialogue to change: “An omnibus federal consumer privacy bill would greatly benefit companies’ compliance functions by creating harmonisation and predictability, thereby reducing compliance costs and ultimately yielding better privacy and security protections for consumers.”
Verdict: will there be a federal US data protection law?
Opinions differ on whether a federal law is likely to be introduced soon. The current debate and obvious benefits for business and compliance lead Simpson to believe “a US federal data privacy regime has a real chance of passing in the future,” but that businesses and consumers alike may have to wait until after election year. However, he stresses that “the fact that both consumers and the business community are largely united in calling for a single federal standard should mean that the political will is there” in coming years.
Gilman, meanwhile, does not consider it likely. While he would support a federal regime because it would deliver clear guidelines for businesses, he fears that the variation of perspectives between states makes it “implausible from a practical perspective.” While the US continues to emphasise state-control and privacy as a consumer right, Gilman has strong doubts that one regime could be implemented which unifies the multitude of perspectives in the 50 states.
Fonzone and Raul agree that, while there is broad bipartisan support for doing something at the federal level on data privacy, disagreements about whether federal legislation should pre-empt state laws or authorise plaintiffs to sue companies for privacy violations are difficult to resolve. Raul suggests that introducing federal data privacy leadership into the White House is a good approach if a federal law is not the answer. “A policy coordinator in the White House to guide the development and harmonisation of federal and international approaches to data privacy and digital practices would be very useful, if not necessary,” he says.
While it may be too early to say for sure whether compliance teams should start preparing for a US federal regime to come into existence, some form of change is on the horizon. As Fonzone says, “it does feel like Congress will likely have to and want to do something in the not-too-distant future” to address the data privacy question in the US.