In a keynote speech before the European Parliament in Brussels on 24 October 2018, Tim Cook CEO of Apple called for the implementation of a Federal privacy law, praising the Parliament for its implementation of the General Data Protection Regulation (“GDPR”):
“We at Apple are in full support of a comprehensive Federal privacy law in the United States. There, and everywhere, it should be rooted in four essential rights: First, the right to have personal data minimized… Second, the right to knowledge… Third, the right to access… and fourth the right to security.”
Data-driven companies are painfully aware that they need to be seen to take consumer privacy seriously or risk alienating customers. However, they are also aware of the regulatory burden new laws would place on their operations. The result is a covert attempt to undermine state legislative efforts by pushing for superseding Federal privacy laws.
The catalyst for change
“The reason we are having this conversation about this more robust and developed federal privacy law is due to the Californian privacy law, which is forcing parties to the table that have been hesitant to have this conversation…”- United States Senator for Hawaii, Mr Brian Schatz
In June, in a characteristically legislatively pro-active move, California passed its own state-level legislation in the form of the California Consumer Privacy Act 2018 (“CCPA”). This reflects how many non-EU jurisdictions are entirely reforming their approach to data protection post-General Data Protection Regulation (GDPR) in an attempt to develop regimes reflecting the commoditisation of data. Argentina, India and Pakistan are a few such jurisdictions. Some, such as Japan, are moving to obtain a data protection adequacy decision from the European Commission.
In the United States, proactive state legislation can present problems due to the varying approaches individual states may take to regulation. The resulting patchwork of regulations can render compliance difficult, compromising consumer’s knowledge and their ability to enforce their rights. No wonder the responses California’s law has necessitated from leaders of data-oriented multi-state business.
In fact, the CCPA has been criticised for being rushed in its implementation. California’s own Attorney General Xavier Becerra criticised the CCPA stating that it “imposes several unworkable obligations and serious operational challenges upon the Attorney General’s Office”.
The CCPA will be effective from 1 July 2020 having undergone a series of amendments on 31 August 2018.
The Senate Committee on Commerce, Science, and Transportation held hearings on 26 September and 10 October 2018 to survey opinion and address concerns. Representatives from multi-national technology companies, regulatory bodies and public interest groups gave evidence.
Committee Chairman John Thune made the current state of play frankly clear- “The question is no longer whether we need a Federal law to protect consumers’ privacy. The question is what shape that law should take.”
During discussions a number of key issues emerged:
Pre-emption of state law: It was much debated whether any Federal law should pre-empt state laws, anticipating issues arising from interstate commerce and providing a framework for any necessary state legislation.
Critically, this would render pre-existing state laws, such as the CCPA, defunct. In making the pre-emption of state laws a condition of the recent calls to legislate, the statements made by leaders of data-driven businesses can only be characterised as self-interested. In the wake of the Cambridge Analytica scandal public opinion undoubtedly favours the implementation of stricter consumer privacy laws, making regulatory change inevitable. Stakeholder’s calls for a Federal law are pre-emptive of the implementation of further strict state-level laws which, to their mind, should be avoided at any cost.
Such an approach undermines the fact that states should be given freedom to supplement any Federal law with their own as necessary. In the event that this approach does create the much-derided “patchwork of regulation,” many multi-state businesses simply adhere to the strictest applicable law. The bottom line is that a Federal law should implement a minimum standard of protection, otherwise it may undermine consumer interests if pre-empting state laws.
The 72-hour data breach notification requirement: Google’s failure to disclose recent breaches in relation to its Google+ service, found to be for reputational reasons, has thrust this issue into the spotlight. Under Article 33 of the GDPR, the fact a data breach has occurred has to be communicated to the appropriate supervisory authority within 72 hours of the organisation becoming aware of it. Notifications must also specify the type of data loss, the scope of the breach, likely consequences, any mitigating efforts taken and details of the organisations Data Protection Officer. Individuals need to be informed directly and without undue delay.
Predictably, many market stakeholders in the United States protested against a 72-hour time limit being implemented under Federal law. Most pre-existing state legislation states that reports must be made between 30-90 days or use contextual wording such as “as quickly as possible and without reasonable delay”. Reporting the fact of a data breach and providing this initial information was seen as practicable under the GDPR; there is no compelling reason why this should be deviated from.
Consumers to opt-in or out of data collection: The GDPR mandates an opt-in model to obtaining consumer consent, requiring clear affirmative action from the consumer (such as ticking an opt-in box), whereas the CCPA uses an opt-out model. For some, this is simply a procedural matter, however, a model requiring consumers to consent clearly to what their data will be used for acknowledges the value of their data and is particularly important when the data being shared is sensitive in nature.
The appropriate regulator: The Federal Trade Commission currently regulates consumer privacy matters and will likely be granted extended powers and resources under any proposed Federal law. At state level, Attorney General’s should also be given appropriate powers to enforce privacy laws on a state-by-state basis.
The propensity for regulation to stifle innovation, unduly disadvantaging start-ups: Concerns arose over whether, in giving consumers greater control over of their data, they will be likely to opt out from smaller companies’ data collection practices, in doing so adversely impacting those businesses. Frankly, this is a stock argument typically advanced in opposition to such regulation which overestimates potential harm and the legitimacy of regulation applying to all businesses. The size of a business is but a single factor in determining the volume of sensitive data it processes and therefore the risk a data breach poses to consumers. The nature of the business, such as the supply of medical equipment or software solutions, will render them prone to processing or controlling higher volumes of sensitive personal data for the purposes of regulation. Implementing a de minimis turnover for the applicability of a Federal law, thereby protecting start-ups, fails to take into account this fact.
Ultimately, a Federal consumer privacy law is unlikely to be comprehensively debated in Congress until next year. What is clear is that the contentious issues have been long-established, not least by the formation and implementation of the GDPR and CCPA. Industry actors are becoming ever bolder in their attempts to influence the formation of the law and a sustained and robust response from consumer interest stakeholders must be maintained to balance competing interests. Otherwise, the implementation of a Federal consumer privacy law is, ironically, at risk of operating akin to a trojan horse.