By Daniel J. Solove
The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries. In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries. The US is an outlier from the way most countries regulate privacy.
About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach. Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs. Industries could lobby and exert their influence much more on laws focused on their industry. Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.
But today, ironically, the sectoral approach is not doing many organizations any favors. There are still gaps in protection under the US approach, but these have narrowed. In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws. The result is a ton of complexity, inconsistency, and uncertainty in the law.
Providing privacy training to organizations has shown me just how challenging the sectoral approach can be. Many organizations are regulated by multiple regulators and countless different laws. It’s like a game of collecting baseball cards. Some lucky privacy officers have collected nearly the whole set!
Despite the fact that some organizations can be subject to dozens of federal and state regulators, many countries view US privacy law as weak and inadequate. Indeed, US is the Rodney Dangerfield of privacy law: It gets no respect.
This doesn’t seem like a particularly good state of affairs. At first, some industries snickered when they fell into a gap. But now the smiles are turning to frowns as they contend with so much overlapping regulation. And these efforts don’t even generate any credit from abroad.
There are several difficulties with the sectoral approach that are only going to become worse over time:
(1) Nobody knows how particular kinds of personal data are protected.
In the USs, statutes generally regulate not based on type of personal data alone. All health data or all financial data is not regulated in the same way. Instead, the law regulates based on the type of data as well as the type of entity holding that data. Thus, a particular piece of health data is regulated only if it is maintained by certain types of entities or is transferred to others from those entities. And the same piece of health data is regulated differently if collected by a hospital or a tech company or a school.
This is a problem because it generates immense confusion and complexity. Suppose a person were to ask me: “Is the privacy of my health data protected?”
My response: “I’m not sure where to begin. Do you have a few days?”
The person might ask: “HIPAA protects my health information, right?”
I would answer. “HIPAA doesn’t protect all health data. It only applies to health data held by covered entities or business associates. So if the data is held by a company or person that isn’t a covered entity or a business associate, it’s not covered by HIPAA. But it could be protected by other laws depending upon the particular state you’re in or the particular organization that collected it. It could be protected by FERPA or by the FTC Act or many other statutes. Sometimes, it can be protected by all of these things. And sometimes, there might be hardly any regulation or protection.”
The person looks at me in despair. “All I wanted to know is whether the privacy of my health data is protected. Just a yes or no is all I wanted to hear.”
(2) There is a significant lack of respect for US privacy law.
The law in the US is a cacophony of so many different laws and cases that it often lacks consistency or definitive answers. It is difficult for those in the EU to understand that the federal law is only one component of how privacy is protected in the US. In fact, when the totality of federal and state statutes, constitutional provisions, and common law protections are considered, there can be quite a lot of protection under certain circumstances. Of course, there are all sorts of weird cracks and crevices, but there are many instances where there may be even more stringent privacy protection in the US than in the EU.
Of course, not all data is protected equally in an omnibus approach. Certain types of personal data receive special protections (such as sensitive data). But generally, omnibus regulation focuses on the type of data involved and regulates it the same no matter whether it is collected by a car company, a restaurant, a merchant, a hospital, or a bank.
There is a simplicity and elegance to the EU approach to data protection. It can actually be understood. It can even be reduced to some soundbites. It is clear and principles-based. Of course, the EU approach often fails to articulate the messiness and compromises. It sweeps these things under the rug so that everything continues to look immaculate.
In contrast, the US approach displays all its compromises and mess — and even creates needless mess. The result is a body of law that is nearly impossible to describe and that looks as orderly as a Jackson Pollock painting.
(3) Sectors shift over time, and the law fails to keep up.
The sectoral approach used to have many gaps, but now many of those gaps have been filled in, and there is a lot of overlapping regulation. A downside to the sectoral approach is that the sectors don’t stay fixed. Tech companies are getting into health. Cable companies are providing Internet and phone. Various organizations perform functions of many different industries, such as schools, which perform financial services, health services, and so on.
Business doesn’t sit still, and the sectoral boundaries carved into privacy law in the 1970s through the 1990s are no longer the same today. With Congress incapable of changing a light bulb these days, there is little chance that the laws will be adjusted to the way that things are today. The problem will only get worse as the sectors continue to shift over time.
(4) Gaps still remain.
There are still gaps in protection. For example, certain aggregators of data are regulated by FCRA but others doing slightly different functions than credit reporting are not covered — and there are gray areas as to when FCRA regulates.
And there are areas where a much weaker law regulates the same kind of personal data in a different context. Health data maintained about students by school clinics is regulated by the weak protections of FERPA rather than stronger protections of HIPAA. The difference in protection is staggering.
* * *
It would be wise for the US to move to having at least a baseline omnibus privacy and data security law. There can still be some exceptions for particular industries as needed, but the US law should strive to avoid needless complexity, close gaps, avoid overlap when it is not needed, and strive to eliminate inconsistency.
Is Congress up to the task? We all know the answer to that. But we can still hope for miracles.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an event that aims to bridge the silos between privacy and security.