The US privacy deja-vu
Recent privacy developments in US very similar to EU privacy framework – a reminder that EU law is setting standards not just for Europe, but for the world.
For a European who closely followed the tedious process of negotiating and adopting the EU General Data Protection Regulation (GDPR) in the mid-2010s, the US privacy law these days feels very much like a déjà vu. The draft of a promising federal US privacy law which would, for the first time, establish a comprehensive data protection regime across the US, has been blocked due to things that almost (but did not) break the adoption of the GDPR. The new US state privacy laws which have sought inspiration, to a great extent, in the GDPR, have opened interpretation dilemmas very similar to those that kept EU privacy lawyers busy in 2018 (and in the years since). The US Federal Trade Commission (FTC) has announced a privacy rulemaking which emphasises concepts that have long been a fundamental part of the EU data protection regime.
In this blog post, I unpack these recent privacy developments in the US and draw some intriguing parallels to the EU data protection framework. I first delve into the current status of the US federal privacy law and discuss what its future could look like. I then touch on the recently enacted privacy state laws in California, Virginia, Colorado and Utah, that are changing the US privacy area forever. Finally, I comment on the FTC’s privacy rulemaking and how its broad mandate includes concepts first embraced by EU law.
The federal privacy law – too good to be true?
The American Data Privacy and Protection Act (ADPPA) is a federal privacy bill that probably came the farthest in the legislative process but fell short of passing in the House. With the Congress in recess, the destiny of the bill is unclear, but as the proverb goes, hope dies last, and so some have claimed that the bill may still get picked up by the next Congress.
ADPPA is a comprehensive data protection law which in many aspects reminds me of the GDPR (particularly the provisions on data minimisation, privacy by design, data subject rights, privacy officers and data protection impact assessments), but comes with a number of US-only specifics such as rules on third-party collecting entities, algorithmic impact assessment, references to the First Amendment and, most importantly, the pre-emption section.
The latter, in particular, has been the reason for criticism of the ADPPA. Under the doctrine of pre-emption, which is based on the Supremacy Clause of the US constitution, federal law pre-empts state law, even when the laws conflict. The ADPPA is drafted in a way that would pre-empt state privacy laws (such as the Californian CCPA) even if they granted more protections to data subjects. This has been a point of contention for some California-based congressional representatives, as they disliked the idea of potentially lowering the standards Californians have been fighting so hard for.
While pre-emption was a point on which the ADPPA seems to have failed, it was exactly the point that made the GDPR such a pivotal development for EU data protection. In the EU law language, pre-emption can be compared with the principle of primacy under which the (directly effective) EU regulations take precedence over Member State privacy laws. The fact that the GDPR is a regulation and has been applied across the Member States with only minor deviations has made it strong, successful, and future proof.
The US state privacy laws
As already mentioned above, California leads the charge on privacy developments in the US. This January, an amendment of the California privacy law (the CPRA) has come into force which contains some additional requirements and sets up an actual data protection authority. The California privacy law which was adopted back in 2018 seemed to open a way for a few other states to adopt their own privacy laws, most of them being based on very similar principles. In Virginia, a comprehensive privacy statute just came into effect on 1 January, Colorado and Connecticut’s laws are scheduled to come into force in July 2023, and Utah’s law will take effect in December.
From a privacy practitioner’s standpoint, the proliferation of privacy laws across different member states is not ideal. It is easy to start getting lost in minor deviations between state laws, overcomplicated privacy policies and scattered privacy compliance programmes.
The situation reminds me of the ‘old times’ in the EU when every Member State had their own national privacy law – which could differ from each other, in both format and substance. However, the EU at least had, since 1995, a data protection directive that set the minimum standards that the Member States could not deviate from. So, in a way, the current US situation is actually worse, because there is no statute that would set at least some basic, cross-sectoral requirements. While a bunch of federal laws touch on the area of privacy (which the new state laws aim to comprehensively regulate), it is not always easy to determine in which situation which law applies. Take, for example, health data which has been regulated on the federal level by The Health Insurance Portability and Accountability Act (HIPAA), by the FTC through their anti-deception regulations, and now also through various privacy state laws (commonly as part of the sensitive data category).
The FTC rulemaking
As if there was not enough to follow and digest, the US privacy profession has been additionally hit with the announced FTC rulemaking. In the area of privacy and security, the FTC has been tasked with enforcing Section 5 of the FTC Act (in addition to some other important federal laws), which bars unfair and deceptive acts and practices in or affecting commerce. But in the commercial surveillance economy, says the FTC, there is a need for new rules to protect people’s privacy and information. New ‘market-wide rules could help provide clear notice and render enforcement more impactful and efficient’.
If we put aside the criticism around the FTC overstepping its enforcement mandate, potentially negatively impacting the adoption of the federal privacy law and the fact that the rules are likely years away, the advanced notice of rulemaking includes a bunch of interesting facts, especially from someone who is looking at them from an EU perspective. In their notice, in which the FTC is asking the public to weigh in on whether and what new rules are needed to protect peoples’ privacy and information in the “commercial surveillance” economy, the Commission is also, quite a few times in fact, referring to concepts and processes that have been successfully implemented in foreign jurisdictions, particularly European. One striking example is the reliance on the principle of purpose limitation in relation to data processing and the reference to the ‘compatibility test’, a well-known test under Article 6(4) the GDPR.
The life of a privacy professional in the US has never been more exciting, but for someone who moved to the States from the EU, it is also a great reminder of what the Union has achieved by aligning all its privacy laws under the umbrella of the GDPR and setting standards not just for Europe, but for the world at large.