A common myth is that the U.S. Congress is a leader in creating privacy and data security law. But this has not been true for quite some time. Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.
In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws. Here are some of the most prominent of these statutes:
- Fair Credit Reporting Act (FCRA) of 1970
- Privacy Act of 1974
- Family Educational Rights and Privacy Act (FERPA) of 1974
- Right to Financial Privacy Act of 1978
- Foreign Intelligence Surveillance Act (FISA) of 1978
- Privacy Protection Act of 1980
- Cable Communications Policy Act (CCPA) of 1984
- Electronic Communications Privacy Act (ECPA) of 1986
- Computer Matching and Privacy Protection Act of 1988
- Employee Polygraph Protection Act of 1988
- Video Privacy Protection Act (VPPA) of 1988
- Telephone Consumer Protection Act (TCPA) of 1991
- Driver’s Privacy Protection Act (DPPA) of 1994
- Health Insurance Portability and Accountability Act (HIPAA) of 1996
- Identity Theft and Assumption Deterrence Act of 1998
- Children’s Online Privacy Protection Act (COPPA) of 1998
- Gramm-Leach-Bliley Act (GLBA) of 1999
After 2000, however, the activity slowed down significantly. On the whole, the U.S. federal legislative activity in the 21st Century is not particularly notable. Congress passed the CAN-SPAM Act of 2003. It passed the Video Voyeurism Prevention Act of 2004, but this law was largely symbolic because it only applies on federal property.
Most Congressional privacy legislation of the 21st Century involved amending existing privacy laws, and not all of these amendments moved the law in the direction of strengthening privacy protections. The Patriot Act of 2001 amended ECPA and FISA with many privacy-reducing measures. The FISA Amendments Act of 2008 retroactively blessed an illegal NSA surveillance program, offering some mild protections for the future. The Fair and Accurate Credit Transactions Act of 2003 amended the Fair Credit Reporting Act to add mostly measures that industry already had in place. It was passed primarily to renew immunity from state tort law for consumer reporting agencies. The Video Privacy Protection Act Amendments Act of 2013 amended VPPA to lessen its privacy protection because of heavy lobbying by video services that wanted to facilitate more disclosures about people’s video watching data on social media. The USA Freedom Act of 2015 dialed back another troubling NSA surveillance program — one step forward, but it was in response to an earlier step backward. The main exception where an amendment moved the law significantly further on privacy protection was the HITECH Act of 2009, which amended HIPAA to strengthen it considerably.
Major privacy laws remain in grave need of an update. FERPA is weak and lacks much of the provisions that more modern privacy laws have. It sorely needs an update. ECPA stands out the most — it regulates electronic surveillance and is more than 30 years old. It is crying out for an update — begging, pleading, even screaming for one. Despite bills nearly every year, nothing has happened.
In contrast, the law of the states and of many countries around the world has been far more impactful. At the state level, with California leading the way, we have seen a blizzard of new laws in the 21st Century, including data breach notification statutes, laws restricting employers or universities demanding that employees or students turn over passwords, “Ban the Box” laws that regulate employer criminal background checks, cybersecurity laws, revenge porn laws, and many more.
Internationally, countless countries have enacted bold new privacy legislation. Recently, the EU promulgated the General Data Protection Regulation (GDPR). This is the strictest privacy law in the world.
Companies are not looking much anymore to federal privacy law. They are focusing on complying with GDPR. One CPO or a large multinational company recently told me that 75% of her time is spend on GDPR these days.
The failure of the U.S. Congress to lead on privacy has not meant that privacy has gone unprotected. California and other states have stepped into the void. The EU has been the main leader, driving corporate policies and practices. ECPA is largely shaped by judges these days, who have to mold this ancient law to fit to today’s technology.
In the world of privacy and security law, you can lead or you can sit back and let others craft the rules to shape how companies behave. The U.S. Congress is now a follower.
Privacy and security are important policy areas, and in the past, the U.S. Congress has lead. But now, sadly, Congress is becoming increasingly irrelevant, a stuffy place filled with hot air, a wasteland of increasing irrelevance. Meanwhile, it is the EU — as well as a few US agencies, US states, and other countries — that everyone is now paying attention to.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.