In our April, 2018 newsletter, we told you about the European Union’s sweeping new privacy program known as the ‘General Data Protection Regulation’ (GDPR), effective May 25, 2018. The GDPR changes the landscape for anyone who does business with persons residing in the EU, or who accumulates or processes data originating from EU residents.
In our July 2018 newsletter, we told you about California’s new ‘Consumer Privacy Act of 2018’ (CPA). The CPA headed off a grassroots effort to enshrine privacy in California through a ballot initiative. The CPA creates requirements for persons collecting data from or about California residents and those requirements are similar to, but different from, the requirements of the GDPR. The business interests that aggregate, sell and use consumer data opposed the CPA as undermining their business models. In our July newsletter we opined that the fight would move to Congress in an effort to ‘preempt’ the CPA before it goes into effect on January 1, 2020.
‘Preemption’ is what happens when Federal law countermands state law. The Federal law is the law of the land and a preempted state law is not enforceable.
The effort to preempt the CPA is now underway. Executives of multiple companies that collect data on, …well, you…, appeared before Congress on September 26, begging for a new Federal law preempting the California CPA. Those companies are the luminaries of the U.S. Internet industry, including Amazon, Google, Twitter, Apple and AT&T.
The Administration is on board. The U.S. Department of Commerce published a request for comments on September 25 on an approach and a set of goals for protecting data privacy. The time period for providing comments is very short, with a response deadline of October 26, 2018. Many of the high-levels goals proposed by the Commerce Department are similar to those of the GDPR and the CPA, but the approach is different. The proposed Federal approach is long on incentives, flexibility, and privacy-by-design and short on actual hard requirements, consequences for ignoring the law, and consequences for causing massive data breaches or misusing data.
The Commerce request for comments specifically acknowledges the difficulties created by inconsistent privacy requirements between jurisdictions (i.e. California). The Federal privacy effort in whatever form will address all sectors of the economy other than those sectors where privacy is already specifically regulated such as the medical sector. The Federal Trade Commission will administer the new Federal program.
On the one hand, this author believes that the Department of Commerce approach is organized and remarkably thoughtful. At its best, it could lead to an efficient and effective approach to privacy protection that the rest of the world will admire and emulate.
On the other hand, this author recognizes that the California Consumer Privacy Act, although California law, will suffer the same fate as the dodo and will soon be only a dusty memory. At its worst, the Commerce proposal could allow Big Data to continue collecting, buying, selling and losing our information with no consequence and with no real change to its current practices.
We can all breathe a sigh of relief* that the Internet data business model is secure.