In 2016, the European Parliament and European Council adopted the General Data Protection Regulation (“GDPR”),[1] a set of comprehensive data protection rules[2] enshrining seven principles that govern the control and processing of data: (1) lawfulness, fairness and transparency; (2) purpose limitation; (3) data minimization; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality;[3] and (7) accountability.[4] Data controllers are held accountable through fines, penalties, and sanctions set forth in GDPR Chapter Eight, including among other things a right of compensation and liability[5] for violations of the Regulation.
Europe’s GDPR had widespread effects, including in the United States, where since 2018, California,[6]Colorado[7] and Virginia[8] have adopted GDPR-style data protection laws, and twenty-two States have attempted to introduce data privacy legislation.[9] Unlike the GDPR, however, even the strictest American laws lack the GDPR’s breadth of scope and territorial reach.[10] Most American data protection laws do not afford rights of rectification, restriction, or objection to processing or automated decisionmaking.[11] Further, many existing and proposed data protection laws impose much lower penalties for violation and offer a generous cure period.[12]
The new, comprehensive U.S.-data protection laws represent a departure from the prior notice and choice regime.[13] But without a complete and consistent transition, the problems of the previous regime are amplified across multiple, incongruent state approaches to data, privacy, and security regulation.[14] Such inconsistency complicates accountability, increases confusion over whether and what data is protected, and imposes incoherent requirements on constituents that raise the cost of compliance and the risk of noncompliance.[15] Variation among the states is also likely to mean variation in the resources and political will necessary for effective enforcement.[16] Illustratively, the Georgia Supreme Court has already adopted the view that neither businesses nor state governments have an inherent obligation to protect data that they store, including personal identifying information (“PII”).[17]
Accordingly, the United States should adopt a single, comprehensive federal mandate on data protection[18] for three reasons: (1) harmonizing data protection regulations in one comprehensive federal mandate will reduce costs of compliance and centralize enforcement authority, and harmonizing with the European Union and other advanced economies like Canada, Israel, and Japan[19] strengthens global data protection and should provide positive externalities in the evolving global technologies space; (2) centralization and uniformity in the law will prevent uneven enforcement if states are unwilling or unable to enforce privacy laws themselves; and (3) the Supremacy Clause would prevent states from asserting that data subjects have no right to data protection without precluding the possibility of states offering greater protections than federally mandated. The longer Congress waits to adopt a national regulation, the more difficult it will be. Accordingly, Congress should act now to adopt a comprehensive, national privacy and data protection regulation including rights of objection and restriction, an affirmative duty of care for data controllers and processors, private rights of action, and expanded causes of action for new privacy harms beyond the existing four privacy torts. Adopting a robust national privacy regulation not only allows the United States to harmonize with other advanced economies, but also offers critical protection against current and future privacy harms in the Digital Age.
[1] Regulation (EU) 2016/679, 2016 O.J. (L 119) 1, available at https://gdpr-info.eu/ [hereinafter “GDPR”]. The GDPR came into force on May 25, 2018.
[2] Matt Burgess, What is GDPR? Wired (Mar. 24, 2020), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.
[3] Including “Security”
[4] GDPR Art. 5.
[5] GDPR Art. 82. (Penalties can reach up to twenty up to twenty million Euros (€20M) or four percent (4%) of global turnover, whichever is greater. Art. 83(5)).
[6] California Consumer Privacy Act (“CCPA”); California Privacy Rights Act (“CPRA”).
[7] Colorado Privacy Act.
[8] Virginia Consumer Data Protection Act (“VCDPA”).
[9] Sarah Rippy, US State Privacy Legislation Tracker, International Association of Privacy Professionals (Sept. 16, 2021), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (Note that sixteen states have failed to adopt the proposed privacy legislation). Texas’s proposed legislation likely failed because it was too strict, requiring express written consent for the collection and sale of geolocational data.
[10] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), NY Times (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
[11] Laura Jehl & Alan Friel, CCPA and GDPR Comparison Chart, Westlaw Practical, https://iapp.org/resources/article/ccpa-and-gdpr-comparison-chart/ (last accessed Sept. 25, 2021).
[12] Id.
[13] Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, Council on Foreign Relations (Jan. 30, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection (citing HIPPA, FERPA, and COPPA).
[14] Id.
[15] Id.
[16] Nathan Eddy, How EU Authorities See GDPR Effectiveness Two Years In, eWeek (Jun. 17, 2020), https://www.eweek.com/security/how-eu-authorities-see-gdpr-effectiveness-two-years-in/ (demonstrating that European states have already demonstrated such resource limitations).
[17] Kevin Townsend, Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information, SecurityWeek (May 25, 2019), https://www.securityweek.com/georgia-supreme-court-rules-state-has-no-obligation-protect-personal-information; McConnell v. Georgia Department of Labor, 305 Ga. 812 (2019) (holding that the plaintiff failed to establish the existence of duty requisite for negligence, that the plaintiff failed to show a fiduciary relationship, and that the tort of public disclosure of private facts was inapplicable); Timothy A. Butler, et al., INSIGHT: Georgia Supreme Court Adds to Patchwork of State Data Privacy Laws, Bloomberg Law (Jun. 19, 2019), https://news.bloomberglaw.com/privacy-and-data-security/insight-georgia-supreme-court-adds-to-patchwork-of-state-data-privacy-laws.
[18] O’Connor, supra note 13. The call to action is not new. The FTC has called on Congress to pass legislation, and the Obama administration had considered a Consumer Privacy Bill of Rights.
[19] Id.
