August 3, 2018 at 11:07AM
International Association of Privacy Professionals
The long and difficult road to a U.S. privacy law: Part 1
This is the first in a series of three posts by Robert Gellman.
A few years ago, the notion of a GDPR-like U.S. privacy law was a pipe dream. While many privacy advocates liked the idea of a broad privacy law, there was no support. Slowly, however, support for a broad U.S. law emerged, largely in response to pressure for simplifying international transfers of personal information. Still, that support was cautious, and no one put forward a specific, comprehensive, and realistic proposal. A vague and weak-kneed proposal took forever to emerge from the Obama administration, and it engendered no interest on Capitol Hill.
It’s now a historical footnote.
Rumors suggest that some camps are developing specific proposals at this time, and a recent report revealed that the Department of Commerce is talking about privacy to some in the business community. It goes without saying, however, that it will be difficult to find common ground among the many interests at stake. It will be even more difficult to find a law that can pass here and that the EU will recognize as meeting the adequacy standard that would allow for the simple transfer of personal information from the EU to the U.S.
It goes without saying, however, that it will be difficult to find common ground among the many interests at stake.
It is not my purpose here to pursue substantive issues that must be resolved to pass a useful general-purpose privacy bill. I want to focus on two little-recognized threshold barriers that exist. My views are informed in part by the seventeen years I spent in the House of Representatives as a staffer with responsibilities that included privacy.
The first barrier is overcoming the consequences of the so-called U.S. sectoral approach to privacy law. We already have privacy laws that cover various sectors of the economy, including credit reporting, federal agencies, schools, financial institutions, video rental, cable television, health, online children’s privacy, and a few others. There is no space here to discuss the inconsistencies in these laws or the many activities with no privacy rules at all. Existing laws passed at different times, went through different congressional committees, and responded to different types of pressure. It’s hard to call these randomly passed laws an “approach,” but I will set that issue aside.
What’s notable about these laws is their differences.
Some laws are more privacy protective than others. Credit reporting privacy rules may be the best that we have. The federal health privacy law has a mixed bag of standards, but it only covers some of the health information in the U.S. The banking privacy law is so weak that it offers almost no meaningful privacy to consumers. The federal government privacy law is so old and outdated as to be laughable. Other laws are all over the place.
The problem is that with different existing statutory levels of privacy, any new generally applicable privacy law will necessarily raise privacy standards in some areas and lower them in others. It is certainly conceivable that a new law could meet the highest standard in any existing law, but the chances of that happening are nil.
So how will a new law reconcile new standards with existing rules?
Further, existing laws have different enforcement agencies and methods. Will a new law replace those agencies and methods? It is hard enough to find agreement on privacy standards. A new law that affects existing institutions by taking away existing authority will face major resistance from those institutions.
This bring us to the second problem. In the House of Representatives, at least six (and maybe more) legislative committees have jurisdiction over some existing privacy law or agency. Even committees with no laws under their belt today would likely claim an interest in a privacy bill. A general-purpose privacy bill that amends existing privacy laws will be referred to all the committees that reported out those laws. What generally happens to a bill that requires action by multiple committees? Nothing. It can be difficult or impossible to convince even three committees to act on the same proposal.
If six or more committees have jurisdiction over a privacy bill, there is only one hope. A broadly referred bill can reach the House floor only if the bill is a priority of the Speaker of the House. Only the Speaker can impose deadlines and discipline on so many committees. There are few precedents here, and only enormous political pressure or a personal interest from the Speaker can work. Even then, reconciling different views of the committees could prove impossible.
I do not know what will happen in the next election. However, I do not foresee any scenario that includes a powerful Speaker committed to privacy. This is likely true no matter who wins control of the House.
The Senate is a different world, and much happens there through negotiations and unanimous consent. A strongly committed Majority Leader can help, of course, but here too, it seems unlikely that the election will produce a Majority Leader with a privacy agenda. Regardless, jurisdictional fights between Senate committees stymied privacy legislation in the past, and it is hard to see how these fights would not recur.
Jurisdictional fights between Senate committees stymied privacy legislation in the past, and it is hard to see how these fights would not recur.
There is a separate set of problems on the appropriations side of Capitol Hill. No one guards jurisdiction and power more jealously than the appropriations committees. If a new privacy bill transferred spending authority across existing appropriations subcommittee lines, that could well present another political and jurisdictional barrier to the bill.
I do not see any prospect in the immediate future for a general privacy law in the United States.
The barriers are large and complex, and I haven’t even begun to address the substantive differences on the many complex policy matters must resolve. Nor have I addressed the massive lobbying campaign that a privacy bill would engender.
For now, the U.S. may be a captive of its so-called sectoral approach to privacy. We made our bed over the last 40 years or so, and we may have to lie in it for a long time.