The United States lacks a cohesive data privacy law. Presently U.S. law is a combination of federal sectoral laws and state laws. With the growing interest from consumers, tech companies, media, and politicians, there may finally be enough momentum to pass a federal law. This article will discuss the pros and cons of a national data privacy law, the challenges to creating a national privacy law, and how it would greatly benefit businesses.
Pros and cons of a national data privacy law
An obvious pro to a national data privacy law is that organizations could focus compliance efforts on one unified law. This would have the net effect of allowing organizations the opportunity to redirect compliance resources to the protection of data. Another pro is that state agencies could rededicate resources which would then be duplicative of federal efforts. Finally, a national law would pave the way toward remaining competitive internationally as more and more countries pass their own national privacy law. The European Union’s (EU) sweeping General Data Protection Regulation (GDPR) just came into effect in May of 2018. Japan has reached an agreement with the EU as to the adequacy of Japan’s laws which streamlines the transfer of data and thus creating enhanced economic opportunities for Japan. If the U.S. passes a national data privacy law and the protections guaranteed under that law were sufficient to gain an adequacy ruling from the EU, it could help U.S. companies remain competitive internationally.
A con to a national data privacy law is that it may halt innovation by the states in protecting the rights of their residents. A federal law may not be as protective as the state laws, causing states to argue the federal law is actually harming their residents.
A federal agency will need to be created or an existing one expanded to handle the new law. Presumably the Federal Trade Commission which has lead the enforcement of data privacy actions will continue in this role. This will definitely have the effect of expanding federal costs and control which many may see as a negative.
The challenges to creating a national privacy law
One of the main challenges to a national data privacy law is the system of federalism the U.S. has. The U.S. was founded by states which were concerned about a strong federal government and wanted a certain level of autonomy. Powers not given to the federal government are reserved to the states and the people. Federal law must rely on express delegation of authority by the Constitution or via application of the Commerce Clause of the U.S. Constitution. As civil cybersecurity and privacy are not directly addressed in the U.S. Constitution, the federal government must rely on the Commerce Clause. While the Commerce Clause may ultimately be successful as grounds for a national law, one can anticipate states to resist any preemption of their existing data privacy laws.
One might overcome a state’s objection to a federal law by not pre-empting state law, but then you lose the advantage of reducing compliance costs for organizations. This might remove the incentive for politicians and technology companies to throw their support behind a national law.
A further challenge is creating the political will to create a national data privacy law. Many may resist further federal regulations, so politicians may fear fall out from supporting a new, broad federal law.
Finally, there is the reality of many competing interests. This is true for any legislation, but especially so for one which gets right to the heart of people’s privacy, a U.S. business model of monetizing personal information, and one with international implications. One example of further complexity is the new “NAFTA” known as the United States Mexico Canada Agreement or USMCA. The USMCA has limitations on requirements to disclose artificial intelligence (AI) algorithms. This is potentially in conflict with the EU’s GDPR which requires a certain amount of transparency as to how automated decision that impact a person are made. The trouble is that the GDPR just went into effect in May 2018, so there isn’t a body of cases establishing what is a sufficient explanation of automated decision making. While the potential conflict doesn’t directly preclude a national privacy law, it would make a ruling of adequacy from the EU more difficult if the U.S. cannot provide sufficient transparency on AI processes to comply with the GDPR.
How businesses can greatly benefit from a federal law
Businesses can benefit from a national data privacy law by streamlining their compliance program so they can dedicate resources to preventing breaches. Businesses can remain competitive internationally by having a law which is unified and, ideally, sufficient to earn an adequacy ruling with the EU. New businesses will have a lower start up cost to their privacy and cybersecurity program with a simplified regulatory scheme.
Despite the obstacles, there is more to gain with a cohesive regulatory structure than the obstacles and risks to enacting one. The time to pursue this is now while there is interest domestically and before we fall too far behind internationally.