The Continuing Call for Comprehensive Data Protection Legislation: Top Down or Bottom Up?

September 23, 2020 by Digital Editor

By: Baily Martin

CCPA, which some people think is a Catalyst Causing Privacy Acts, actually stands for the California Consumer Privacy Act, passed by the California legislature to give consumers more control over the personal information that businesses collect about them. Enacted in June 2018, the CCPA is similar to the European Union’s (EU) GDPR – which proved the Growing Desire for Privacy Regulation (although actually titled the General Data Protection Regulation).

The GDPR regulates how companies treat the personal data of EU citizens. The CCPA, the strictest privacy law in the United States, provides California consumers with more control over how businesses use their personal identifying information. California has inspired similar legislation in other states. For example, Vermont, Washington, New York, Nevada, and Florida have introduced their own versions of the CCPA. Massachusetts has bills regarding net neutrality and consumer protection in both houses of their legislature. Puerto Rico has also attempted to pass privacy legislation, entitled the Law for the Protection of Digital Privacy. With privacy bills being debated in many states, there is a risk that 50 different “comprehensive” and conflicting privacy regimes could make conducting business on a global scale extremely challenging. Meaningful federal laws and regulations should seek to resolve the differences among the existing federal and state legal rights and responsibilities.

The CCPA marks the beginning of a ripple effect of a national trend towards data protection legislation. Only about 25 states and Puerto Rico purport to have laws that address data security practices of private sector entities. The patchwork nature of state-by-state legislation will persist without a federal standard. If Congress successfully passes one of many relevant bills introduced and debated in the past couple of legislative sessions, the United States will join 80 other countries with comprehensive national laws protecting personal information. The first bill to emerge was the Consumer Online Privacy Rights Act filed by Senator Maria Cantwell (D-WA) on November 26, 2019. Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Edward Markey (D-MA), all of whom have put forward privacy bills of their own, joined in her bill. On May 7, 2020, Commerce Committee Chair Roger Wicker (R-MS) introduced the COVID–19 Consumer Data Protection Act of 2020, which would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, device, geolocation, and proximity data. The bill would also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic. These rights and obligations incorporate concepts from the CCPA and the GDPR, which provide benchmarks for federal enactment.

Two behemoth political entities — the European Union and the United States — have two very different approaches to maintaining data privacy and protections for its citizens. The EU took a top-down approach to data privacy when the European Parliament approved GDPR in April 2016, but the United States’ approach has been more bottom-up. While the United States’ legal framework on personal data has not meaningfully changed in decades, the EU has enacted multiple data-protection derivatives. In contrast to United States law, EU law protects all personal data, regardless of who collects it or how it is processed. Other advanced economies, such as Canada, Israel, and Japan, have pivoted toward creating privacy regimes that are compatible with the EU’s GDPR rather than with the patchwork approach of the United States. Unlike the EU, the United States does not broadly restrict cross-border data flows and has traditionally regulated privacy at a sectoral level to cover data. The differing and almost conflicting regimes impede data transfers and, as a result, hinders information sharing and cross-sector collaboration among global business. Omnibus legislation would not only streamline compliance for U.S. companies, but would also integrate the United States into emerging data-protection norms.

These differences in the American and European approaches to privacy regulation are reflected in litigation in EU courts. In 2015, the European Union Court of Justice (CJEU) invalidated the EU–U.S. Data Protection Safe Harbor decision for the international transfer of personal data in “Schrems I.” The International Safe Harbor Privacy Principles were developed between 1998 and 2000 to provide a single set of data protection requirements for transferring data between the two countries. In 2016, the EU-U.S. Privacy Shield Framework replaced the Safe Harbor provisions to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States in support of transatlantic commerce.

On July 16, 2020, the CJEU invalidated the EU–U.S. Privacy Shield in Maximilian Schrems v Data Protection Commissioner (“Schrems II”).The CJEU instructed companies to assess protections “as regards any access by the public authorities of that third country to the personal data transferred [and] the relevant aspects of the legal system of that third country.” Because the United States privacy regime fails to meet the threshold of “essentially equivalent” to protections in the EU, United States companies are supposed to cease data transfers. The ruling will have a serious effect on a range of United States businesses, and thousands of companies that relied on the Privacy Shield will have to find new legal mechanisms to ensure the safety of any EU data they process. Companies may even prefer to move where they process data, most likely to data centers within the EU.

Although Americans cannot legally avail themselves of specific rights under GDPR, United States companies’ compliance with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress. Ultimately, the two power economies are at odds in terms of data privacy legislation. The EU has an overarching legislation; the United States, however, is still searching for its federal top-down solution and may find it in one of the proposed bills. But only time will tell.

The year 2019 began with a significant increase in bill introductions addressing various aspects of data privacy, compared to previous years. Privacy bills increased in the year 2020 compared to the year 2019, with additional comprehensive privacy bills as well. However, no omnibus data protection legislation has come to fruition. The rapidly changing data landscape creates the need for an overarching privacy law. The United States is virtually the only developed nation without a comprehensive consumer data protection law and an independent agency to enforce it. Although the Federal Trade Commission (FTC) is the chief federal agency on privacy policy and enforcement in the United States, the agency is not solely focused on protecting consumer data. The FTC has authority to bring enforcement actions against unfair and deceptive trade practices, but it lacks the ability to create prospective data security rules. On the other hand, the European Data Protection Board (EDPB), established by the GDPR, is an independent body that ensures the consistent application of data protection rules throughout the EU. With the year 2020 bringing unprecedented challenges, hopefully the “legislative nightmare” in the United States can end with a comprehensive data protection legislation with either a top down or bottom up approach to foster a compatible global data landscape.

Baily Martin is a 2L at Georgetown University Law Center. She is a Global Law Scholar and serves on the Appellate Advocacy Division of Barristers’ Council. She is also as a staff editor on the Georgetown International Law Journal and the Georgetown Technology Law Review. Baily has passed her Certified Information Privacy Professional/United States (CIPP/US) exam.