A comprehensive privacy law is again being considered in the United States, with numerous draft bills out for discussion.  Key elements of any privacy law are how it will be enforced, what will be enforced and by whom it will be enforced. The current approach to privacy legislation in the United States is described in various ways, such as a patchwork of sectoral and specific processing law and  a general prohibition of unfair and deceptive practice.  No matter how U.S. privacy law is described, many different actors have a role in enforcement.  Addressing the regulatory aspect of any new U.S. privacy legislation requires an understanding of the difference between the way the U.S. administers privacy as a consumer interest and how the balance of the world administers data protection.  It is inevitable that the proposed bills will be compared with laws in other jurisdictions, such as the European General Data Protection Regulation.  However, European experience with data protection oversight began nearly 50 years ago with laws in Hesse and Sweden.  Other countries are also considering privacy legislation to facilitate data driven economies, deal with perceived risks to people and institutions, and/or seek adequacy from the European Union.  Some have agencies similar to Europe; others have authorities that are slightly different.  New privacy laws, particularly in the U.S., raise basic structural questions that are better discussed sooner rather than later.  This blog’s purpose is to set up some key questions to advance this discussion and as a pre-cursor to a small table discussion on these issues on the margins of the FTC privacy hearings when they take place. 

To advance the discussion, there are at least  four key questions:  (1) what is the correct focus for legislation relative to privacy ; (2 )how should  the full range of tasks related to oversight and enforcement be approached; (3) should enforcement include ex ante versus ex post processes or both; (4) what type and amount of resources would a regulator or regulators need?

Is Privacy the correct focus for legislations and, if so, what is Privacy?

It may seem silly to question if privacy is the correct focus for privacy legislation.  Privacy is a bundle of interests that are driven by both substantive as well as emotional issues.  Being unfairly denied credit and ubiquitous Wi-Fi monitoring in stores are both part of privacy, but these issues are addressed with fundamentally different legislative solutions today.   After 30 plus years in the privacy field, I have reached the conclusion that I cannot propose solutions to the emotional side of privacy issues as it is too broad.  However, I do believe there are solutions to issues related to lost seclusion in a very observational world, maintenance of autonomy on how I am portrayed, and achievement of fair processing of data about me.  So, prior to enacting comprehensive privacy legislation, the sub issues related to seclusion, autonomy and fair processing should be isolated since any enforcement model will depend on this foundation.  Also, the right remedies should be linked to the problem for which a solution is sought.  For example, an autonomy solution should not be applied to a fair processing question, or a fair processing solution should not be applied to what is considered to be a seclusion problem. 

Should all tasks related to individual autonomy, seclusions and fair processing be concentrated in one agency or distributed among numerous agencies and offices?

The U.S. has approached privacy as a consumer protection issue with enforcement delegated to various sectoral regulators whose master charge is not the complete bundle of autonomy, seclusion and fair processing.  The Federal Trade Commission is responsible for fair markets, Health and Human Services is responsible for health, and Transportation is responsible for safe roads, rails and skies.  All have responsibility for privacy, and none is a privacy agency.  Law enforcement agencies, like the FTC, do what they are charged with doing, policing consumer protection law that explicitly or implicitly relates to data creation or use.   Other agencies, with a broader mandate to a specific industry, balance data issues with the other regulatory challenges they face.  Most agencies are not typically charged with protecting individuals in their roles beyond consumer (an exception is HHS which is charged with protecting individuals in their role as patients). 

Some countries have privacy agencies that are charged with protecting primarily individuals’ autonomy and that use autonomy as a means of achieving fair processing.  Other countries have data protection agencies with various powers to interpret the law, provide guidance based on interpretations, accept complaints, spot check the market, investigate legal breaches, charge those parties that may have broken the law, make a determination of guilt, and punish.  At least 16 civil society organizations in the U.S. have suggested the U.S. should have such an agency.  Should all those powers be placed in one agency?  Or is fair processing best done close to where the contextual knowledge exists?  A senior public official in another country has determined that putting that much power into one agency creates conflicts between the various roles.  Some have suggested the FTC’s role should be expanded beyond its law enforcement mission.  If so, which of these roles should be given to the FTC?  The IAF believes that all these roles are important but believes a moment should be taken to define them, weigh them, and determine in which agency they should be placed or if a new agency should be created in the U.S.

Ex Ante Oversight Versus Ex Post Enforcement

European data protection includes both ex ante oversight processes as well as ex post enforcement.  Two examples of ex ante processes are Binding Corporate Rules approvals and processing approvals where data impact assessments show there is residual risk.  In the U.S., there are pre-approval processes related to Privacy Shield and APEC Cross Border Privacy Rules, but the reviews are not conducted by regulatory agencies. 

All privacy enforcement agencies across the world have some authority to review industry practices.  For example, the FTC conducted a study on data brokers to better understand the industry’s behavior, and data protection authorities, such as the French CNIL and the Information Commissioner’s Office in the United Kingdom, have the authority to conduct spot audits.  Increasingly, there is a sense that formal spot checking is necessary for accountability processes, such as the ones put forward by the Information Accountability Foundation.  That is why the IAF has suggested companies stand ready to demonstrate what they do with data and why.  The IAF has suggested, for example, that codes of conduct will become increasingly important.  Codes and certification raise specific ex ante oversight issues.  Should codes be approved by a regulatory agency that would then enforce them?    Or might approval be delegated to a third-party accountability agency?  If an accountability agent, how would that accountability agent be overseen?  

What Type and Amount of Privacy Resources?

The UK’s ICO has a staff of at least 500 people, with at least 250 involved in data protection.  This serves a population of 60-million.    If one were to extrapolate to the U.S., that has the most innovative data users in the world and a population of 350-million people, U.S. governmental agencies would employ 1326 privacy staff.  The FTC has publicly stated that its privacy division has a staff of 34.  There are also staff in enforcement and in the commissioners’ offices that are also doing privacy so the FTC might have 50 privacy staff.  There are also privacy enforcement staff at HHS, FCC, banking agencies and at the state attorneys general.  My guess is that the total staff dedicated to privacy in the U.S. does not reach anywhere near 1326. 

It has been suggested that the very active plaintiff’s bar in the U.S. is an effective supplement to enforcement agencies.  The plaintiff’s bar has been involved in Fair Credit Reporting enforcement since day one.   Reviews of that form of enforcement are mixed. However, it is clear the corporate community is not typically enamored with enforcement through private litigation. 

What is clear is that there is a gap between what the U.S. is paying for enforcement and oversight today, and what will be required by new legislation.  This gap needs to be addressed before the U.S. enacts privacy legislation.

There will be a great deal of debate on what new rules should be for achieving appropriate seclusion, autonomy and fair processing.  The IAF will actively encourage and conduct research on these four key legal infrastructure issues so they are part of the public debate.  Please join us in this endeavor.