by Daniel J. Solove
PART 1
Are privacy and security laws being enforced effectively? This post is part of a series called Enforcing Privacy and Security Laws.
How are privacy and security laws enforced? How should they be enforced? What enforcement works well? What doesn’t? What are the various agencies that are enforcing privacy laws doing? How do the agencies compare in their enforcement efforts?
I plan to explore these questions in a series of posts. Collectively, I’ll call this series “Enforcing Privacy and Security Laws.”
The Goals of Enforcement
Why should privacy and security laws be enforced? Does enforcement really matter? And what should enforcement entail?
Someone once made a great quip that went something like this: “For privacy, in the EU there very strict rules but they are barely enforced. In the US, there are barely any rules, but they are strictly enforced.”
Enforcement in the US is indeed quite robust comparatively. According to one study, the top 20 fines against companies for data protection violations were all issued by US agencies.
The method and frequency of enforcement depend upon the goals of enforcement. Here are some of the most common goals that we would want out of an enforcement regime:
Compensation for Harm
One key reason to enforce is to compensate people for harm. However, a major challenge with privacy and security is that harm has been very difficult to define in this context. I have explored the issue of harm in a series of posts:
Part 1: Privacy and Data Security Violations: What’s The Harm?
Part 2: Why the Law Often Doesn’t Recognize Privacy and Data Security Harms
Part 3: Do Privacy Violations and Data Breaches Cause Harm?
Part 4: How Should the Law Handle Privacy and Security Harms?
Disgorge Unjust Enrichment
Another goal of enforcement is to make violators disgorge the money and benefits that violations brought. This goal is partly one of deterrence, but also partly one of justice – that one shouldn’t profit from one’s wrong.
Specific Deterrence
Specific deterrence involves meting out a penalty that will deter the particular violator from committing another violation. It is aimed at shaping the conduct of the particular violator.
General Deterrence
General deterrence involves meting out a penalty that will deter other potential violators from committing a violation. The focus isn’t on what will deter the particular violator – the goal is to deter others. For example, a small penalty might be sufficient to stop a particular violator from repeat offenses, but it might not be enough to scare others, so a large penalty might be issued to scare others from committing violations. Enforcement can thus be used to make an example out of a violator, with a punishment that might be more severe than the infraction.
Expressive Functions
Enforcement action can also have an expressive function. The goal here is to make a statement – to express through the enforcement that violations are strongly disfavored. For example, several agencies post enforcement actions on their websites, such as the FTC and HHS. HHS’s site where actions are posted is dubbed “The Wall of Shame.” This is an expressive function, and it has reputational costs for violators.
Oversight
Another goal of enforcement is to gain better oversight of a particular entity. FTC enforcement works this way. For privacy and security violations under Section 5 of the FTC Act, the FTC does not issue fines. The FTC typically settles the cases and requires a 20-year consent order with routine auditing. If a company violates the order, a fine can then be issued. Many enforcement actions thus have the effect of placing companies under greater oversight by the FTC.
Corrective Action
Enforcement can also be a way agencies help companies take corrective action and improve their practices. Many consent orders require companies to take steps that will enable them to better comply with the law, such as establishing more effective training programs or developing improved privacy and security compliance programs.
Retributive Functions
Another goal of enforcement is retribution – the righting of wrongs. Enforcement seeks to right wrongs by issuing a penalty proportionate to the wrong. A key component of retribution is the proportionality of the penalty to the infraction. For deterrence, in contrast, the penalty need not be proportionate to the infraction – the penalty should be the appropriate amount that will achieve the desired level of deterrence. For retribution, proportionality matters because retribution is rooted in a sense of balance and fairness, and it is less consequentialist than deterrence.
Why Do These Goals Matter?
These goals matter because they affect the types and amount of the penalties imposed, as well as the frequency of enforcement. Many agencies have limited resources, so they are very selective about what violations they choose to enforce.
For example, according to Congressional testimony by Professor Woodrow Hartzog, the FTC has brought only 55 data security complaints since 2008. But Since 2005, there have been 4300 data breaches. I have read about many of these data breach incidents, and there are many more that could readily qualify as worthy of an FTC complaint. The FTC is thus using its resources selectively, choosing cases for a variety of reasons.
Would more actions make a difference? The answer depends upon the goals of enforcement. If the goal is deterrence, then maybe. In the context of privacy and data security, would smaller more frequent enforcement actions yield more deterrence than a few large prominent actions? I don’t know the answer. If the goal is retribution, then all violations should be enforced. The appropriate method and degree of enforcement are thus tied to the goals, and this is a challenging issue without easy answers.
In the posts that follow, I will examine different agency enforcement practices and strategies. I hope to shed some more light on this topic, as well as make some useful comparisons in the way that privacy and security violations are being enforced. I hope you join me for the rest of this journey.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security awareness training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security