by Daniel J. Solove
Are privacy and security laws being enforced effectively? This post is post #3 of a series called Enforcing Privacy and Security Laws.
Enforcement in the US
In the United States, a variety of different regulators are responsible for overseeing and enforcing different laws that impact different types of information.
Some laws are exclusively enforced by agencies. Some are also enforced by state attorneys general. Others are enforced exclusively with a private right of action – the ability of individuals to bring lawsuits. Several laws have criminal penalties, which are typically enforced by the Department of Justice (DOJ). And then there are laws that are enforced by a combination of means, such as the Fair Credit Reporting Act (FCRA) which is enforced by two agencies plus private rights of action.
U.S. Enforcement: Federal Agencies
Some of the federal agencies enforcing privacy and security laws include:
Federal Trade Commission (FTC)
The FTC enforces FTC Act Section 5 (unfair and deceptive trade practices), which applies to privacy and data security violations in a wide array of industries. The FTC also enforces the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the US-EU Safe Harbor Arrangement, the Gramm-Leach-Bliley Act (GLBA), and the Red Flags Rule.
Consumer Financial Protection Bureau (CFPB)
The FTC now shares enforcement of FCRA with the CFPB. The CFPB was created by the Dodd-Frank Act of 2010, and it is an independent agency in the Federal Reserve. In 2012, the FTC and CFPB signed a memorandum of understanding regarding coordinating their enforcement of FCRA.
Department of Health and Human Services (HHS)
HHS, through the Office for Civil Rights (OCR), enforces the Health Insurance Portability and Accountability Act (HIPAA) regulations, which protect the privacy and security of health data. Enforcement actions are typically initiated when a complaint is filed. Criminal penalties are enforced by the Department of Justice (DOJ).
National Labor Relations Bureau (NLRB)
The NLRB enforces the National Labor Relations Act (NLRA) which ensures that employees (whether unionized or not) can engage in “concerted activity” to complain about workplace conditions and issues pertaining to employment terms and conditions. The NLRB has brought several actions about social media policies that run afoul of the NLRA for being too broadly restrictive and chilling speech pertaining to employment terms and conditions. The NLRB has summarized its enforcement in a series of memos.
Federal Communications Commission (FCC)
The FCC enforces Section 222 of the Communications Act, which requires telecommunications carriers to protect customer information. The FCC has established regulations governing how “customer proprietary network information” (CPNI) can be disclosed, requiring different opt-in and opt-out requirements. The FCC, along with the FTC, enforces the Telephone Consumer Protection Act (TCPA), which includes the Do Not Call List. The FCC also enforces the Cable Communications Policy Act (CCPA), which has protections on data maintained by cable service providers.
Department of Education (ED)
Through the Family Policy Compliance Office (FPCO), the ED enforces the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student records. FERPA applies to all public schools and to any private school that accepts federal funds (which includes most institutions of higher education). The FPCO also enforces the Protection of Pupil Rights Amendment (PPRA), which protects student privacy in surveys, medical exams, and marketing programs.
US Enforcement: Other Enforcers
Private Rights of Action
Another mechanism of enforcement is through private rights of action – lawsuits by plaintiffs. Several federal and state privacy laws authorize private rights of action, though some don’t. Those that do include FCRA as well as the Cable Communications Policy Act (CCPA), the Electronic Communications Privacy Act (ECPA), the Video Privacy Protection Act (VPPA), and the Driver’s Privacy Protection Act (DPPA). Those that don’t have a private right of action include HIPAA, FERPA, GLBA, and the FTC Act. For a more complete list of statutes with and without privacy rights of action, see my guidebook to privacy, Privacy Law Fundamentals (with Paul Schwartz), published by the International Association of Privacy Professionals (IAPP).
States have their own privacy and security laws that can be enforced by state attorneys general (AGs) and state agencies. There are notable laws in California, Massachusetts, and Texas, among other states. Sometimes federal laws authorize enforcement by state AGs, such as HIPAA.
Enforcement in the EU and Internationally
The EU Data Protection Directive mandates what member nations must enact in their privacy laws. It requires that member states have a “supervisory authority” and individual remedies. Under Article 28 of the Directive, member states shall establish a “supervisory authority’ that will have the power to investigate, to stop certain uses of data, and to engage in legal proceedings. These authorities are called Data Protection Authorities (DPAs). You can find a list of them here.
A European Data Protection Supervisor (EDPS) enforces at the EU level. The EDPS is “an independent EU body responsible for monitoring the application of data protection rules by EU institutions.” The EDPS can investigate individual complaints.
Article 22 of the Directive provides that there must be “the right of every person to a judicial remedy for any breach of the rights guaranteed to him by the national law applicable to the processing in question.”
Many other countries have Privacy Commissioners – akin to DPAs – with varying types of powers. The European Commission maintains a list of them here. For the US, the FTC is listed.
* * * *
Enforcing Privacy and Security Laws: Other Posts in this Series
1. Why Enforce Privacy and Security Laws?
2. The Privacy Pillory and the Security Rack: The Enforcement Toolkit
3. Who Are the Privacy and Security Cops on the Beat? [this post]
* * * *
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security awareness training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security