|
Article Excerpt
FEATURE CONTENTS
INTRODUCTION I. THE PAST AND PRESENT OF INFORMATION PRIVACY LAW A. The Roots of Privacy Law B. Omnibus and Sectoral Privacy Laws: U.S. and European Regulatory Paths 1. The U.S. Path 2. The EU Path C. Recent Federal and State Trends and the Role of Preemption II. A FEDERAL OMNIBUS PRIVACY LAW: STRENGTHS AND WEAKNESSES A. Federal Versus State Regulation of Information Privacy 1. Positive Results 2. Negative Results B. Federal Omnibus Privacy Preemption of State Laws III. SECTORAL PRIVACY LAW: LIFE UNDER DEFENSIVE PREEMPTION A. Federal or State Sectoral Regulation B. A Dual Federal-State System for Information Privacy 1. Federal Consolidation 2. Beyond Ceilings and Floors 3. Second-Best Solutions CONCLUSION
INTRODUCTION
In March 2007, Bill Gates, Microsoft Chairman, called for the enactment of a comprehensive federal privacy law. (1) His voice became one of many asking Congress to take broad and preemptive action to regulate the collection, storage, and transfer of information across the private sector. A patchwork of information privacy laws now exists in the United States, and it is one with federal and state elements. In the view of Gates and many others, it would be preferable to create a single federal law for the private sector that would impose uniform standards.
A broad coalition, including companies formerly opposed to enactment of privacy statutes, has now formed in support of a national information privacy law. Businesses that have signed on to this policy include Microsoft, Google, eBay, Intel, Oracle, Sun Microsystems, Hewlett-Packard, and Procter & Gamble. (2) The Center for Democracy and Technology, a privacy advocacy group, is coordinating this drive for a nationwide privacy law. (3) Among the benefits that proponents attribute to such a law is that it would harmonize the U.S. regulatory approach with that of the European Union (EU), and possibly minimize international regulatory conflicts about privacy.
This Essay argues, however, that it would be a mistake for the United States to enact a comprehensive or omnibus federal privacy law for the private sector that preempts sectoral privacy law. An omnibus statute establishes regulatory standards for a large field, which can, in many countries, sweep in the entire public and private sectors. In contrast, a sectoral law has jurisdiction over a specific context of information use. As an example, the Video Privacy Protection Act of 1988 establishes rules for the use of video rental information, (4) and the Fair Credit Reporting Act contains rules for the use of credit reports. (5) The EU has long adopted omnibus information privacy laws; the United States has chosen sectoral laws for its private sector.
This Essay traces the history of information privacy law in Part I, discusses different aspects of a federal omnibus privacy law in Part II, and explores the jurisprudence of sectoral law in Part III. Throughout all Parts, it examines privacy statutes from different sectors in the United States, including laws regulating credit information, financial data, and video rentals. It also considers laws in areas other than privacy, such as environmental and labor law, and looks at comparative examples with a special focus on the EU and Canada.
A comparative element of Part I demonstrates American exceptionalism. From the start, U.S. information privacy law has taken a sectoral approach while European information privacy law has centered on omnibus laws. Yet these differences are best explained by a modest historical account of initial choices, path dependency, and the influence within the EU of a longstanding project to harmonize law within different member states. Omnibus privacy laws cannot be said to be fundamentally incompatible with a federal government.
In Part II, this Essay first considers the case for and against a federal omnibus law that functions only as a gap-filler. Such a statute would provide general standards to be used in areas in which no sectoral law exists, or when there is silence or ambiguity in such a law. The case for such an omnibus law is a close one. This kind of omnibus law proves, however, at best a long shot for enactment. Congress is far more likely to enact an omnibus law with strong preemptive language built around regulatory ceilings. Industry has indicated its support for only such a statute, and it may be in a position to derail any other legislation. (6) Yet such a law would be a dubious proposition due to its impact on experimentation in federal and state sectoral laws, and the consequences of ossification in the statute itself.
In contrast, and as Part III examines, federal sectoral statutes have more promise for information privacy. Sectoral laws are also likely to be a future privacy growth field. Due to a regulatory dynamic that scholars have termed "defensive preemption," businesses often may react to statutory innovations at the state level by seeking legislation at the federal level. (7) The critical question is the optimal nature of a dual federal-state system for information privacy law, and this Essay concludes by considering three aspects of this question.
First, there are certain general circumstances under which federal sectoral consolidation of state law can bring benefits. These include the avoidance of inconsistent regulations in areas with high costs and little policy payoff, and the establishment of "field definitions" that can lower compliance costs. Second, the choice between federal ceilings and floors is far from the only preemptive decision that regulators face. In particular, the toolkit of privacy federalism should not be limited to the standard concept of "subject matter" preemption. As this Essay argues, privacy federalism can also include ceilings that extend only to the "conduct" regulated and not the entire subject matter of the regulation. As an example of such conduct preemption, I will discuss the Fair and Accurate Credit Transactions Act (FACTA), an important 2003 amendment to the Fair Credit Reporting Act. (8) Another important aspect of the toolkit of privacy federalism is a sharing of enforcement authority among federal and state regulators.
As a final aspect of its consideration of an optimal dual federal-state system for information privacy, this Essay develops a number of second-best solutions. These policy safeguards are important because Congress may engage at times in broader sectoral preemption than is fully merited. In such circumstances, important policy safeguards to consider include a "plus one" strategy, under which Congress allows at least a single state to retain higher standards or to develop standards different from the federal one. Another policy safeguard would be to subject preemption clauses in federal privacy legislation to a ten-year sunset.
I. THE PAST AND PRESENT OF INFORMATION PRIVACY LAW
This Part looks at the emergence of modern information privacy law and its reliance on Fair Information Practices (FIPs). It then traces the development of omnibus and sectoral privacy laws in the United States and analyzes differences in the regulatory paths for information privacy in the United States and the European Union.
A. The Roots of Privacy Law
The roots of modern information privacy law are found in state common law, and, specifically, in the tort right of privacy. The genesis of this aspect of privacy law was the publication in 1890 of The Right to Privacy by Samuel Warren and Louis Brandeis. (9) Over the course of the twentieth century, and under the helpful influence of William Prosser, author of the relevant sections of the Restatement (Second) of Torts, nearly all states have recognized some branches of the tort right of privacy. (10) The process of adoption of the privacy tort was long, but its acceptance is now nearly universal. In 1998, one of the last three holdouts, Minnesota, adopted the tort of invasion of privacy in Lake v. Wal-Mart Stores, Inc. (11)
Tort privacy relies on litigation by injured parties and decisionmaking by juries. In Robert Post's seminal formulation, tort privacy is centered on civility norms that maintain and structure communal life. (12) It creates a legal process for negotiation of limits both on the community's access to personal information and on the individual's desire for zones without community scrutiny. Tort privacy's centrality to the law of information privacy has also waned over time. As Post rightfully observes, tort privacy is under stress today for two reasons. First, society's need for accountability has placed new emphasis on the community's access to information. (13) Second, the rise of an "instrumental world of large surveillance organizations" is in basic tension with the underlying logic of civility norms. (14) These large surveillance organizations are only one aspect, albeit an important one, of the information age, which is marked by computerized data processing, innovative means for collecting and sharing personal information, and detailed data trails left by all individuals in their daily lives.
The law's chief reaction to these new developments has not been through tort law, but FIPs. (15) This legal response, which began in the United States and Western Europe in the 1970s, defines obligations for bureaucratic organizations that process personal information. The basic toolkit of FIPs includes the following: (1)limits on information use; (2)limits on data collection, also termed data minimization; (3) limits on disclosure of personal information; (4)collection and use only of information that is accurate, relevant, and up-to-date (data quality principle); (5)notice, access, and correction rights for the individual; (6) the creation of processing systems that the concerned individual can understand (transparent processing systems); and (7) security for personal data. (16)
No single privacy statute contains all these rules in the same fashion or form. As a critical matter, the precise content of the rules will be different based on the context of data processing, the nature of the information collected, and the specific regulatory and organizational environment in which the rules are formulated. Of particular note is the enforcement of FIPs. Depending on the form that FIPs take, the law can include some combination of enforcement and oversight through a private right of action and governmental enforcement. Public entities involved in the process of FIPs include the Federal Trade Commission, various federal regulators of financial institutions, Privacy Act officers, and state attorneys general.
B. Omnibus and Sectoral Privacy Laws: U.S. and European Regulatory Paths
The world's first comprehensive information privacy statute was a state law; the Hessian Parliament enacted this statute in Wiesbaden, Germany, on September 30, 1970. (17) In the accepted terminology, this statute is an "omnibus law." It establishes regulatory standards for a broad area--namely the state and local governments of Hessen. This law was followed by those of other German states, which then influenced the form and content of a federal omnibus law, the Federal German Data Protection Act (Bundesdatenschutzgesetz, or BDSG). (18) The term, "data protection," is the standard nomenclature in Europe for information privacy. The 1977 BDSG establishes standards for information processing by public and private entities alike.
The German preference for anchoring data protection law in omnibus privacy statutes is typical of European data protection law. The European Union's adoption in 1995 of the Data Protection Directive has played a key role in this process. (19) The Data Protection Directive envisions that all EU member states follow its requirements by "transposing" them into national law. (20) It leaves the choice of specific legal instruments to each member state, and, at least theoretically, an EU member state could choose to enact a combination of sectoral laws to comply with the Directive. (21) Yet all member states have enacted omnibus laws to transpose the Directive into national law. As Ulrich Dammann notes, the universal favoring of omnibus laws in the EU is unsurprising because the Directive requires a transposition in "its entire range of application." (22) A choice of sectoral laws would place a burden on each member state to enact "a multitude of sectoral regulations." (23) Moreover, each member state was faced with the relatively short deadline of three years that the Directive established for compliance with its standards. (24) Enacting a complete range of sectoral laws in this framework would have been a more than heroic endeavor. Even with omnibus statutes as the chosen method of regulation, only four member states were able to meet the established deadline, and the European Commission even initiated legal action in 1999 due to this delay in the European Court of Justice against France, Germany, Ireland, Luxemburg, and the Netherlands. (25)
The Directive's requirement that national laws reflect its principles has followed the EU in its eastward expansion. The typical omnibus statute also allows for further specification of regulatory norms through sectoral regulations. For example, the BDSG explicitly provides within its first section that federal sectoral laws take precedent over its provisions. (26) And there has been no shortage of sectoral laws in EU member states.
In the United States, by contrast, FIPs have generally developed through laws that regulate information use exclusively on a sector-by-sector basis. The one partial exception in the United States is the Privacy Act of 1974, (27) which is an omnibus law for the public sector, albeit a narrow one. The Privacy Act only regulates certain kinds of federal agencies, and only certain kinds of information use. (28) This Essay discusses the Privacy Act and its genesis in more detail below.
The divergent evolution of U.S. and European law raises the question of why these legal systems took different paths at the fork in the regulatory road. The puzzle is all the more intriguing because an omnibus bill for the private and public sectors, Senate Bill 3418 (S. 3418), was on the table, however briefly, during the formative period in the United States for information privacy. As originally introduced by Senator Samuel Ervin on May 1, 1974, S. 3418 had a broad jurisdictional sweep. It would have established requirements for "[a]ny Federal agency, State or local government, or any other organization maintaining an information system that includes personal information." (29) Before turning to analysis of the divergent regulatory paths in the United States and Europe, I discuss the road not taken by Congress. S. 3418 can also help illustrate differences between an omnibus bill and a sectoral law, whether in the United States or Europe.
The core of any omnibus bill is a reliance on general clauses; these provisions establish FIPs that are of necessity broadly worded because they cannot be directed to a specific area of information processing. As an initial example, S. 3418 would have required public and private entities to "collect, maintain, use, and disseminate only personal information necessary to accomplish a proper purpose of the organization." (30) In the taxonomy of FIPs, which Section I.A discussed above, this language establishes a disclosure limitation. The bill would also have required organizations to "maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to assure fairness in determinations relating to a data subject" (31)--a data quality requirement. As a final example, the bill would have placed restrictions on onward transfers. S. 3418 would prohibit the regulated entities from making a "dissemination" of information without meeting certain requirements, such as "including limitations on access thereto, and.., determining that the conditions of transfer provide substantial assurance that those requirements and limitations will be observed." (32) In other words, the organization transferring personal data would be obliged to determine that the entity receiving the information followed FIPs, including drawing a line against further transfers.
From a contemporary perspective, one of the most interesting aspects of the proposed bill from 1974 is that it would have conditioned international transfers of information on either subject consent or equivalent protections abroad for the personal data. This proposed requirement of "equivalency" would have exceeded the protections later found in the European Data Protection Directive, which was enacted in 1995 and took effect in 1998. The Directive calls only for "adequate" protection before an organization, public or private, in an EU member state is permitted to transfer personal information to an organization in a third-party nation, such as the United States. (33) Yet, taken as a whole, the general clauses of S. 3418 would have proven similar to those in a typical, modern omnibus European data protection law.
In contrast to these omnibus privacy laws, a sectoral approach is necessarily more narrowly tailored and its terms, by their nature, are more specific. The U.S. Video Privacy Protection Act of 2988 (VPPA) provides a good example. (34) Its jurisdictional sweep is limited to a "video tape service provider," which is defined in technology-neutral terms. (35) As a result, the law has been easily extended to DVDs. The VPPA contains FIPs, but these are necessarily tailored to the specific context of the "rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials." (36) A description of its customization will provide a useful illustration of the basics of a sectoral information privacy statute.
As an initial example of this tailoring, the VPPA first forbids video tape service providers from disclosing personal information about their customers. It then provides a series of disclosure exceptions centered on the context of video rentals and sales. Thus, it allows disclosures "incident to the ordinary course of business of the video tape service provider." (37) The VPPA also permits disclosure of a limited subset of information, namely of the names and addresses of consumers, but...
|
