by Daniel J. Solove
Are privacy and security laws being enforced effectively? This post is post #3 of a series called Enforcing Privacy and Security Laws.
Enforcement in the US
In the United States, a variety of different regulators are responsible for overseeing and enforcing different laws that impact different types of information.
Some laws are exclusively enforced by agencies. Some are also enforced by state attorneys general. Others are enforced exclusively with a private right of action – the ability of individuals to bring lawsuits. Several laws have criminal penalties, which are typically enforced by the Department of Justice (DOJ). And then there are laws that are enforced by a combination of means, such as the Fair Credit Reporting Act (FCRA) which is enforced by two agencies plus private rights of action.
U.S. Enforcement: Federal Agencies
Some of the federal agencies enforcing privacy and security laws include:
Federal Trade Commission (FTC)
Consumer Financial Protection Bureau (CFPB)
Department of Health and Human Services (HHS)
National Labor Relations Bureau (NLRB)
Federal Communications Commission (FCC)
Department of Education (ED)
US Enforcement: Other Enforcers
Private Rights of Action
Another mechanism of enforcement is through private rights of action – lawsuits by plaintiffs. Several federal and state privacy laws authorize private rights of action, though some don’t. Those that do include FCRA as well as the Cable Communications Policy Act (CCPA), the Electronic Communications Privacy Act (ECPA), the Video Privacy Protection Act (VPPA), and the Driver’s Privacy Protection Act (DPPA). Those that don’t have a private right of action include HIPAA, FERPA, GLBA, and the FTC Act. For a more complete list of statutes with and without privacy rights of action, see my guidebook to privacy, Privacy Law Fundamentals (with Paul Schwartz), published by the International Association of Privacy Professionals (IAPP).
State Enforcement
States have their own privacy and security laws that can be enforced by state attorneys general (AGs) and state agencies. There are notable laws in California, Massachusetts, and Texas, among other states. Sometimes federal laws authorize enforcement by state AGs, such as HIPAA.
Enforcement in the EU and Internationally
A European Data Protection Supervisor (EDPS) enforces at the EU level. The EDPS is “an independent EU body responsible for monitoring the application of data protection rules by EU institutions.” The EDPS can investigate individual complaints.
Article 22 of the Directive provides that there must be “the right of every person to a judicial remedy for any breach of the rights guaranteed to him by the national law applicable to the processing in question.”
Many other countries have Privacy Commissioners – akin to DPAs – with varying types of powers. The European Commission maintains a list of them here. For the US, the FTC is listed.
* * * *
Enforcing Privacy and Security Laws: Other Posts in this Series
1. Why Enforce Privacy and Security Laws?
2. The Privacy Pillory and the Security Rack: The Enforcement Toolkit
3. Who Are the Privacy and Security Cops on the Beat? [this post]
* * * *
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security awareness training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security