I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.
There, I said it. . .
In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.
But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law. Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.
The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition. Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.
Here are 10 reasons why I love the GDPR:
(1) Omnibus and Comprehensive
Unlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.
This baseline is important. In the US, protection depends upon not just the type of data but the entities that hold it. For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities. Health data people share with a health app, for example, might not be protected at all by HIPAA. This is quite confusing to individuals. In the EU, the baseline protections ensure that nothing falls through the cracks.
Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D
It is difficult to predict how the FTC will approach privacy. The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States. There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in. In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.
The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year. Effectively, for many companies, the regulators they are paying attention to are across the pond.
The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference. Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers. This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.
In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc), the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security. I strongly criticized the panel decision in an previous blog post.
The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce. Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers. A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.” Common carriers are regulated by the Federal Communications Commission (FCC).
In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC. However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in. This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5. Because these are non-common-carrier activities, the FCC often can’t regulate them either. This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.
Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:
The FTC released the above chart showing the history of Commissioners, Chairwomen and Chairman of the FTC from 1915 through the present day. According to the chart, The Federal Trade Commission is composed of five Commissioners, and their terms extend for seven years. The Commissioners are appointed by the President with the advice and consent of the Senate. At any given time, not more than three Commissioners may be members of the same political party. The President designates one Commissioner as Chairman, and the Chairman is given the responsibility for the administration of the Commission.
Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.