The International Forum is a new annual sister event to the Privacy+Security Forum, an annual event held in October at George Washington University in Washington, DC. The regular Privacy+Security Forum will be in its 4th year in 2018. This past year, we had 800 participants.
Paul Schwartz and I created the International Forum to recognize the profound importance of international privacy and security law, not just abroad, but here in the United States.
A common myth is that the U.S. Congress is a leader in creating privacy and data security law. But this has not been true for quite some time. Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.
In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws. Here are some of the most prominent of these statutes:
Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.
Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU. But a new day has dawned.