CC image courtesy of Pexels
By Bradley Cho*
A Government Accountability Office (GAO) report released in May 2016 indicated that twenty-four major U.S. federal agencies were subject to over 77,000 attacks in 2015 alone, a massive 1300% increase since 2006.[1] This survey comes in the wake of a serious breach beginning in March 2014 at the Office of Personnel Management (OPM), where Chinese hackers compromised the personal data of at least 21.5 million American citizens.[2] While such incidents have underscored the serious need for robust data security in the United States, both Congress and American regulatory bodies have been slow to respond. Privacy frameworks in the United States, out of long-standing respect for free speech principles, have largely been left to industry self-regulation, with the Federal Trade Commission (FTC) patrolling the outer legal boundaries of that sphere.[3] The US government’s philosophy is largely embodied in the FTC’s Fair Information Practice Principles (FIPPs), which are voluntary industry recommendations regarding privacy-oriented data protection practices.[4]
However, the era of such laissez-faire data regulation may be coming to an end. In February 2012, the Obama administration released a comprehensive framework for protecting privacy in the global digital economy.[5] At the heart of this framework is a “Consumer Privacy Bill of Rights,” which calls for the development of data privacy practices under FTC oversight.[6] The FTC has also called on Congress to enact “baseline privacy legislation,”[7] which would replace the current “sectoral approach” where data privacy statutes exist in a piecemeal fashion to cover only very specific activities.[8] This article examines the current state of data privacy laws in the United States, how comprehensive “omnibus” privacy laws have fared abroad, and key lessons that can be learned in efforts to implement similar processes in the United States.
The Federal Government’s Current Sectoral Approach to Privacy Regulation
Since the passing of the Privacy Act of 1974, the nation’s first data security legislation, Congress has passed dozens of statutes affecting personal data security in both government and industry.[9] While numerous, this “sectorial” legislation offers only a piecemeal framework for privacy protection, regulating privacy in certain sensitive areas. For instance, the Video Privacy Protection Act of 1988 (VPPA) only protects against wrongful disclosures of consumers’ video tape rental or sale records,[10] while the Driver’s Privacy Protection Act of 1994 prohibits the unauthorized disclosure of DMV information without express consent.[11]
Such scattered protection of personal information has long been criticized as being carried out “in an inconsistent and episodic manner,”[12] leading to inevitable protection gaps and confusion. The FTC, the largest regulatory body in the United States in regards to personal data, has likewise been criticized for its selective enforcement of only the most egregious offenders.[13]
Looking Abroad
Naturally, many scholars and thinkers advocating for data privacy reform have looked abroad, setting their sights particularly on the European Union. In the EU, comprehensive omnibus laws exist to recognize privacy rights in personal data.[14] The 1995 European Union Directive on Data Protection required member states to enact laws that reflect certain data protection principles, where data is only collected and used for explicit and legitimate purposes.[15] It was once called “the world’s most ambitious, far-reaching data privacy initiative of the high-technology era.”[16] In April 2016, the EU went one step further by passing the General Data Protection Regulation (GDPR), a new statutory body that will supersede the Directive on Data Protection once fully implemented in 2018.[17] These legislative instruments are ultimately based on the idea of “informational self-determination”—a concept commonly recognized as a fundamental human right in the EU.[18] Many foreign jurisdictions outside Europe—such as Canada, Australia, and New Zealand—have adopted similar, EU-inspired privacy legislation.[19]
While some have called for similar implementation in the United States,[20] the U.S. government and public have proven extremely resilient to such initiatives. U.S. corporations have criticized the massive amount of resources required to comply with such laws,[21] while other critics have portrayed EU-inspired laws as “an impediment to innovation and economic progress.”[22] European and U.S. approaches to privacy have notoriously clashed in the international sphere; Europe’s strict consumer-protective legislation is fundamentally at odds with American notions of self-regulation.[23] Nonetheless, an increasing number of commentators have characterized U.S. privacy laws as outdated, calling for reform either through baseline regulations[24] or through market solutions.[25]
What is the Answer?
Any American reform movement will have to straddle the two extremes of current piecemeal data protection schemes and the EU’s broad omnibus legislation. Unique federalism concerns also apply in the U.S., where states have broad jurisdiction to regulate consumer protection, business acts, and related practices.[26]
Instead of turning to Europe, an intermediary solution might be found in Asia, where the Asia-Pacific Economic Cooperation (APEC) has developed a minimum privacy framework for its member nations.[27] As an organization designed to promote free and open trade and investment in the Asia-Pacific,[28] APEC’s framework is designed to be adopted by its member nations in methods that best work locally, whether “legislative, administrative, industry self-regulatory[,] or a combination of these methods.”[29]
Although superficially similar to the current U.S. regulatory scheme and largely aspirational in nature, the APEC framework has several distinct advantages. First, key data privacy terminology such as “personal information” and “publically available information” are clearly defined.[30] Second, the nine APEC Privacy Principles—preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability[31]—help balance effective information privacy protection and the free flow of information in a manner that may be palatable to American values. The APEC Framework’s key difference from the EU’s approach is that it stops short of prescribing specific technical requirements. Rather, it stresses the importance of multi-stakeholder processes that encourage innovation while allowing for effective, participatory implementation.[32]
A baseline federal privacy legislation in a similar vein can give greater predictability regarding the use of personal data, while providing flexibility for local and state governments to build upon, and for regulatory bodies such as the FTC to regulate. Industry experts frequently criticize the lack of cohesiveness that current piecemeal, sectoral legislation provides.[33] However, by creating a standard set of definitions and objectives that can apply to both public and private sector actors, a baseline statute similar in spirit to the APEC framework can strengthen the FTC’s regulatory powers while allowing broad exemptions to suit self-regulation and local preferences.
Conclusion
The Obama administration has called for data privacy reform that would simultaneously, and seemingly paradoxically, “provide more consistent protections for consumers and lower compliance burdens for companies.”[34] Experience with strong-arm EU omnibus privacy laws appeared to indicate that championing privacy will necessarily require a tradeoff of corporate flexibility and innovation. However, as the public clamor for baseline data privacy legislation grows,[35] a better approach that respects American values and unique U.S. federalism concerns might very well already exist in Asia. APEC has successfully crafted a data privacy framework that provides a baseline of both definitions and expectations, while giving generous space for addressing local concerns and self-regulation by stakeholders.
_____________________________________________________________
Citation: Bradley Cho, Thinking Outside the Box: Looking Abroad for a New U.S. Data Security Framework Introduction, 5 Cornell Int’l L.J. Online 1 (2016).
*Bradley Cho is a J.D. candidate at Cornell Law School where he is a Cornell International Law Journal Associate. He holds a Bachelor’s Degree from Yale University.
[1] U.S. Gov’t Accountability Off., GAO-16-501, Agencies Need to Improve Controls over Selected High-Impact Systems 1 (2016) (describing the exponential increase in data privacy breaches over the last decade).
[2] Id.; David Bisson, The OPM Breach: Timeline of a Hack, Tripwire (June. 29, 2015), https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-opm-breach-timeline-of-a-hack/; Michael S. Schmidt et al., Chinese Hackers Pursue Key Data on U.S. Workers, N.Y. Times (July 9, 2014), http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?_r=0.
[3] Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, at ii.
[4] Frederik Zuiderveen Borgesius, Jonathan Gray & Mireille Van Eechoud, Open Data, Privacy, and Fair Information Principles: Towards a Balancing Framework, 30 Berkeley Tech. L.J. 2073, 2101 (2015).
[5] The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy 11 (2012).
[6] See id.
[7] See Fed. Trade Comm’n, supra note 3, at i.
[8] Paul M. Schwartz, Preemption and Privacy, 118 Yale L.J. 902, 904 (2008).
[9] See id. at 905.
[10] Gregory M. Huffman, Video-streaming Records and the Video Privacy Protection Act: Broadening the Scope of Personally Identifiable Information to Include Unique Device Identifiers Disclosed with Video Titles, 91 Chi.-Kent L. Rev. 737, 737 (2016).
[11] Katherine Hutchison, That’s the Ticket: Arguing for a Narrower Interpretation of the Exceptions Clause in the Driver’s Privacy Protection Act, 7 Seventh Cir. Rev. 126, 126–27 (2012).
[12] Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609, 1633 (1999).
[13] Woodrow Hartzog & Daniel J. Solove, The Scope and Potential of FTC Data Protection, 83 Geo. Wash. L. Rev. 2230, 2230 (2015).
[14] Paul M. Schwartz, European Data Protection Law and Restrictions on International Data Flows, 80 Iowa L. Rev. 471, 473 (1994).
[15] Common Position (EC) No/95 With a View to Adopting Directive 94/ /EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (C 93, April 13, 1995).
[16] E.g., Steven R. Salbu, The European Union Data Privacy Directive and International Relations, 35 Vand. J. Transnat’l L. 655, 655 (2002).
[17] See Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the United States and European Union, 102 Calif. L. Rev. 877, 885 (2014).
[18] Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court], Dec. 15, 1983, 65 BVerfG 1, 68–69 (1984) (Ger.).
[19] David Scheer, Europe’s New High-Tech Role: Playing Privacy Cop to World, Wall St. J. (Oct. 10, 2003), http://www.wsj.com/articles/SB106574949477122300.
[20] Id.
[21] Id.
[22] See, e.g., Am. Chamber of Commerce to the Eur. Union, AmCham EU Position on the General Data Protection Regulation 3, 6, 11 (2012), https://dataskydd.net/wp-content/uploads/2013/01/AmCham-EU_Position-Paper-on-Data-Protection-20120711.pdf.
[23] See Salbu, supra note 16.
[24] See Fed. Trade Comm’n, supra note 3.
[25] Paul Rose, Comment, A Market Response to the European Union Directive on Privacy, 4 UCLA J. Int’l L. & Foreign Aff. 445, 445 (1999).
[26] Richard J. Peltz-Steele, The Pond Betwixt: Differences in the U.S.-EU Data Protection/Safe Harbor Negotiation, 19 J. Internet L. 1, 17 (2015).
[27] APEC Cross‐border Privacy Enforcement Arrangement, Asia‐Pacific Econ. Cooperation, http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx (last visited Nov. 3, 2016).
[28] About APEC, Asia‐Pacific Econ. Cooperation, http://www.apec.org/About-Us/About-APEC.aspx (last visited Nov. 11, 2016).
[29] See APEC Cross‐border Privacy Enforcement Arrangement, supra note 27, at 3.
[30] See id. at 31.
[31] See id.
[32] Marc Rotenberg & David Jacobs, Updating the Law of Information Privacy: The New Framework of the European Union, 36 Harv. J. L & Pub. Pol’y 605, 648 (2013).
[33] Grant Gross, Microsoft’s Bill Gates Wants New Privacy Law, CIO (Mar. 7, 2007), http://www.cio.com/article/2441839/security-privacy/microsoft-s-bill-gates-wants-new-privacy-law.html.
[34] See The White House, supra note 5, at ii.
[35] Justin C. Pierce, Shifting Data Breach Liability: A Congressional Approach, 57 Wm. & Mary L. Rev. 975, 1001 (2016).