The Need for Unified Data Protection in the U.S.

Consumer data in the United States is protected by a scattershot of local laws that are inconsistently enforced. The U.S. is also the only country in the Organisation for Economic Co-operation and Development (OECD) that does not have a data protection agency. This needs to change. 

Centralizing data privacy lawmaking and enforcement at the federal level would provide far more stability than the current fractured approach of states and other localities making their own laws and using their own enforcement mechanisms. A national data protection act, or DPA, is important not just for the consumers, but also for companies who handle data and are responsible for implementing compliance controls. With a coherent national approach developed with input from all industry players and consumer and privacy groups, companies will be able to better understand their obligations and related enforcement, and therefore will be able to more effectively and efficiently protect their customers’ data. 

Having a single federal data privacy law would allow companies to focus their efforts on compliance and protection of individuals’ rights, and not on a complex and shifting set of requirements that would differ depending on the jurisdiction(s) at play for each individual or piece of data. The more complex the tapestry of laws that apply to personal data, the harder compliance will be. Europe learned this lesson and has implemented General Data Protection Regulation as an European Union-wide privacy law. We should do the same.

In February, Se. Kirsten Gillibrand, D-NY,  proposed legislation for a federal DPA. More recently, Sen. Sherrod Brown, D-Ohio, introduced a draft privacy bill that would protect consumer data. We applaud these important steps toward creating nationally coherent privacy legislation, but the proposed pieces of legislation have flaws. 

Gillibrand’s bill and the media have focused their discussions on tech companies when discussing data privacy, but any regulations need to apply uniformly regardless of company classification. While it’s true that tech companies have an incredible amount of data, so do many major retailers, hospitals, financial institutions, government institutions and others. Furthermore, in today’s complex world, it is hard to define exactly what a “tech” company is. Many companies, especially those that collect personal data, straddle the line between tech and their actual industry. Federal Express has an incredible amount of personal data, but most would consider them a logistics company, and not a tech company. Data privacy legislation must be drafted while considering the needs and duties of companies and consumers in all industries where personal data is collected.

Additionally, preemption by federal law over state law is a well-established principle that enables nationally coherent law. Gillibrand’s bill erodes aspects of federal preemption resulting in increased uncertainty that would make compliance more difficult. The more certainty and coherence that federal privacy regulation can provide, the better companies can protect the data of individuals.

And, although Gillibrand’s proposed legislation discusses privacy enhancing techniques, it does not go a step further and establish safe harbors. Most companies would like to innovate on their data while fully protecting the privacy of individuals’ data. Safe harbors instruct companies with exact techniques for handling data that allows both the desired innovation and strong data privacy protection for individuals. Establishing safe harbors, like using privacy-preserving aggregated and synthesized data (as opposed to deidentified data, which has a real risk of reidentification, as Netflix found out), would give companies blueprints for compliance. Many companies would jump at the chance to use safe harbors to innovate while protecting individuals’ data in a legally-compliant way. 

Brown’s bill claims that it outright “rejects the current, ineffective ‘consent’ model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data.” The legislation would allow for very few pre-approved cases of data collection and use in the name of personal privacy. But, collecting data is not necessarily a bad thing; companies need data to innovate, and innovation can move technologies forward and improve lives. 

The solution here would be to build anonymization into the laws and require data synthesis before using or sharing any data. This way, individual data remains protected and companies, government agencies or even non-profit organizations could benefit and bring benefits to their audience. Privacy laws should protect individuals’ data while still finding a way to encourage innovation. 

Above all else, the most important thing for the legislative branches and companies to do at this point is to engage in open dialogue. A single federal data protection act, rather than a jumble of state policies, will ensure consumer data privacy while allowing strong US innovation. Legislation needs to be drafted with consideration of the complex nature of modern business and technology and the needs of individuals. This will provide more certainty to both consumers and companies striving to protect those consumers’ data. 

Michael Meehan, JD, PhD, is general counsel for Diveplane Corporation.