NEED FOR FEDERAL PRIVACY AND DATA PROTECTION LAW POST SCHREMS II
I. OVERVIEW
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its decision in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (2020), (Schrems II). The overall conclusion resulted in the EU-US Privacy Shield being invalidated, while the Standard Contractual Clauses (SCCs) remain intact for the time being. With the global trend of data privacy protection becoming a priority for individuals, governments, and corporations, the question remains whether the U.S. should implement a federal data privacy law.
II. DISCUSSION
In essence, the CJEU ruled that the United States does not afford enough protection to EU citizens when it comes to data transfers. The court found that U.S. surveillance programs such as PRISM and UPSTREAM violated the fundamental rights of EU citizens, who had no adequate legal remedies to challenge the infringement of their data subject rights. This ultimately begs the question, are U.S. citizens receiving comparable protection on the transfer and use of their personal data?
The rapid expanse of technology and the globalization of the internet has created a digitized network premised on the transfer of money, goods, and information. While there are mixed responses from lawmakers following the ruling in Schrems II, one prominent takeaway is that the United States will be forced to adapt on the EU’s terms rather than its own. While the United States’ data security policies are not necessarily being undermined by the EU’s privacy requirements, these requirements may ignite a strapping reform to the data privacy infrastructure of the United States. In consequence, the U.S. will actually be better positioned to navigate the difficulties presented by a data-driven digitalized society and better protect the autonomy of U.S. citizen’s privacy rights.
A Current Data Protection Regulations
Currently, the United States does not have an overarching federal data privacy law akin to the EU’s GDPR. Juxtaposed, the U.S. primarily relies on consumer-oriented privacy laws adopted by the states. Active state regulations have many similar data protection provisions while also indoctrinating contradictory provisions that vary by state. Data privacy provisions can vary in a number of ways including but not limited to the definition of private data, whether this includes healthcare data, financial records, and/or credit information; breach notification requirements; what individuals and entities are subject to these regulations; and even the legal redress available to victims whose data is exposed.
i. European Union’s General Data Protection Regulation[1]
The EU’s General Data Protection Regulation (GDPR) was enacted in 2018. The GDPR imposed a sweeping regulation that applies to any organization, in any type of business, headquartered in any country in the world, that collects any type of personal information pertaining to EU citizens. The GDPR extends protection to all data that can be used either directly or indirectly to identify an individual. For that reason, the GDPR set the tone for privacy protection in an advanced technological world that is quickly transitioning to cloud services as a pivotal aspect of global business enterprises.
The GDPR has emphasized both accountability and compliance for the protection of personal data. Article 6 of the GDPR designates six situations when it is permissible to obtain an individual’s personal data: (1) with unambiguous consent; (2) when a legally binding contract exists; (3) to comply with a legal obligation; (4) to save somebody’s life; (5) to perform a task in the public interest; or (6) when there is a legitimate interest at stake. Without a justification for one of these six permissible reasons, no data controller/processor is permitted to collect, store, or transfer any individual’s personal data.
Furthermore, the GDPR provides individuals the power to control how their data is used, collected, or processed. An individual has (1) the right to be informed; (2) the right of access; (3) the right to rectification; (4) the right to erasure; (5) the right to restrict processing; (6) the right to data portability; (7) the right to object; and (8) rights in relation to automated decision making and profiling. Thus, organizations are under heightened scrutiny to safeguard the personal data of any EU citizen who engage in global commerce. To that end, the United States should strongly consider enacting a federal policy that affords similar protections and provisions for US citizens.
ii. California Consumer Privacy Act (CCPA)[2]
While the US does not have a sweeping data protection regulation, California’s Consumer Privacy Act (CCPA) serves as a functional equivalent to the GDPR, for California residents. If and when the US moves forward with instituting a federal privacy law, the CCPA may serve as foundational reference point.
The CCPA is intended to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the right of Californians to: (1) know what personal information is being collected about them; (2) know whether their personal information is sold or disclosed and to whom; (3) say no to the sale of personal information; (4) access their personal information; and (5) equal service and price, even if they exercise their privacy rights. (See Purposes of Consumer Privacy Act; preemption; construction, Cal. Civ. Prac. Business Litigation § 51:33).
The CCPA applies to the activity of businesses, service providers that serve businesses, and third parties (which can be individuals or organizations). The regulation also prohibits any form of discrimination against consumers who exercise their rights and reject the use of their persona data.
Furthermore, under the CCPA, when a business receives a request regarding the personal information it has collected and stored about a consumer, the business must verify the identity of the person making the request before responding. However, some personal data is already exempted from CCPA requirements. For example, personal health information is strongly safeguarded by the Health Insurance Portability & Accountability Act (HIPAA) and Confidentiality of Medical Information Act (CMIA), therefore is already exempted from the CCPA requirements.
At its core, the CCPA incorporates remarkably similar principles and privacy policies as the EU’s General Data Protection Regulation (GDPR). To that end, it is a strong foundational reference for composing an overarching federal privacy law in the United States.
iii. New York Consumer Privacy Act (NYPA) [3]
New York’s legislature has a proposed bill that would act similarly to the CCPA if enacted. The NYPA would permit consumers to inquire about what data a business collects, whom it is shared with, request the deletion of such data, and opt out of any data transfer policies.
The NYPA would apply to legal entities that either conduct business in New York or even target NY residents to consume their products or services, an extra-territorial extension like that of the EU’s GDPR. There is no limitation on the size of business subject to the law and there is no exception for non-profit businesses. All organizations must comply with the data privacy principles.
As written, the NYPA will impose a fiduciary duty on any entity that collects, sells, or licenses an individual’s data. Businesses are required to safeguard consumer’s data against any release that may cause harm to the individual. More importantly, the fiduciary duty supersedes any duty owed to owners or shareholders of the company itself. In other words, the protection of consumer data privacy is a higher priority under the NYPA standards.
The NYPA also creates an inherent private right of action. Consumers would be provided the legal remedy of suing companies for data privacy infringements rather than going through the Federal Trade Commission (FTC) to seek redress. Keep in mind, the lack of legal redress was one of the major policy issues that led the CJEU to invalidate the EU-US privacy shield.
Furthermore, New York has also passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD). The SHIELD act modified the state’s breach notification requirements to afford consumers with reasonable notice of when their personal data is at risk of invasion.
While the NYPA has not yet been enacted it is more proof that the inherent risk created by the digitalization of commerce and information has become a focal point of forward-thinking legislatures. With that in mind, the concepts and proposed principles of the NYPA are another strong reference point for the creation of overarching federal privacy law.
B. Protected Information
As it stands, the most commonly protected personal data includes the following information:
- Identifiable Information: Any data that can be used to identify, distinguish, contract, or locate an individual
- Personal Health Information: Any data pertaining to an individual’s medical history, ailments, disabilities, insurance information, or any other data gathered by a healthcare provider for the purposes of treatment or diagnosis
- Financial Information: Any data that can be used to trace an individual’s monetary information or account details
- Student Records: Any data collected by an academic institution or other entity including grades, transcripts, or any other educational related information
The number of state-level data regulations is continuing to grow, and enacted laws are being actively amended to keep up with the rapid digitalization of commerce and information. The provisions within these state-level regulations are an effective foundation for the construction of an overarching federal data privacy law.
III. CONCLUSION
In any event, the United States must consider implementing a federal data privacy law. To confront the obstacles created by an evolving landscape of global commerce and information, the United States must conform its data protection laws to maintain the security and integrity of its citizen’s civil liberties and autonomy. While many states have their own variations of consumer and data protection laws, the data subject rights of all U.S. citizens would be best served with an overarching federal regulation that provides fundamental data protection by implementing provisions similar to the GDPR, CCPA, and proposed NYPA.
If you have any questions about this memo, please contact Christopher L. Rasmussen, Managing Partner, Inventus Law, PC., at chris@inventuslaw.com, Abhilipsa Panda, Commercial Law Clerk, Inventus Law, PC., at abhilipsa@inventuslaw.com, or Timothy Kemp, Intern, Inventus Law, PC. at timothy@inventuslaw.com.
Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business.
[2] https://www.caprivacy.org/
[3]https://assembly.state.ny.us/leg/?default_fld=&bn=S05642&term=2019&Summary=Y&Actions=Y&Text=Y&Committee%
26nbspVotes=Y&Floor%26nbspVotes=Y